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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 
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Inventor : 
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Appln . 


No. : 






Filed 
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Group Art Unit : 


For 




SET OF PARTICULAR KEYS FOR 
PROVING AUTHENTICITY OF AN 
ENTITY OR THE INTEGRITY OF A 
MESSAGE 


Examiner : 


Docket 


No. : 


F40 . 12-0006 





PRELIMINARY AMENDMENT 



Box Non-Fee Amendment 
Commissioner for Patents 
Washington, D.C. 20231 
Sir : 

Please amend the above-identified application as 

follows : 

IN THE SPECIFICATION 
On Page 1, before line 1 and after the title, please 
insert the following: 

CROSS-REFERENCE TO RELATED APPLICATION 
This application is a Section 3 71 National Stage 
Application of International Application No. PCT/FR00/02715 filed 
September 29, 2000 and published April 12, 2001 as WO 01/26278, 
not in English. 

BACKGROUND OF THE INVENTION 

On Page 3, between lines 28 and 29, please insert the 
following: 

SUMMARY OF THE INVENTION 



EXPRESS MAIL NO. EV049900720US 
DATE OF DEPOSIT: March 29, 2002 



On page 9, line 3 6 delete the caption (line) and insert the 
following : 

BRIEF DESCRIPTION OF THE DRAWINGS 
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FIGS. 1A-1D, 2A, 2B, 3A and 3B are graphs useful in 
explaining the present invention. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

IN THE CLAIMS 
Please amend claims 1, 3-7, 9 and 11 as follows: 

1. (Amended) A process intended to prove to a controller entity, 
the authenticity of an entity and/or 

the integrity of a message M associated with this entity; 
said process implementing: 

a public modulus n constituted by the product of f prime 
factors pi, p 2 ... Pf, where f is greater than or equal to 2 , or 
implementing the f prime factors; 

m different whole base numbers gi, g2 — gm, where m i s 
greater than or equal to 1, gi being less than the f prime 
factors p 1# p 2 ... p f ; 

m pairs of private Qi, Q 2 , ... Q m and public G lf G 2 , ... G m 
values, where m is greater than or equal to 1) or parameters 
derived from them; 

said modulus and said private and public values being 
connected by relations of the type: 

Gi . Qj_ v = 1 - mod n or Gi = Q ± v mod n 

said public value Gi being the square gi of the base number, 
v denoting a public exponent of the form: 

v=2 k 

where k is a security parameter greater than 1; 
the process according to the invention including the step of 
producing the f prime factors pi, p 2 ... Pf and/or the m base 
numbers g lf g 2 ... g m in such a way that: 

a) each of the equations: 

x = gi mod n 

has solutions in x in the ring of the integers modulo n; 



= iS . U..JI ■« Cih O'TO t" 3, a n:ni? n;::\ ^ ik* 8T 



-3- 



b) where Gi = Qi V mod n, among the m numbers qi obtained by- 
raising Q x to the square modulo n, k-1 times of rank, one of them 
is different from ± gi (in other words is nontrivial) , and 

where Gi.Qi V = 1 mod n, among the m numbers q± obtained by 
raising the inverse of Qi to the square modulo n, k-1 times of 
rank, one of them is different from + gi (in other words is 
nontrivial) ; 

c) among the 2m equations: 

x 2 ^ 9i mod n 
x 2 == - gi mod n 

at least one of them has solutions in x in the ring of the 
integers modulo n; 

the process for producing the f prime factors p lf p 2 to p f 
and/or the m base numbers g lf g 2 to g m includes the step of 
choosing : 

the security parameter k 

the m base numbers g lf g 2 to g m and/or the f prime factors 
Pi/ P2 to p f . 

Claim 2 remains unchanged. 

3 . (Amended) A process according to claim 1 such that the 
security parameter k is a small whole number, particularly less 
than 100. 

4 . (Amended) A process according to claim 1 such that the size 
of the modulus n is more than several hundred bits. 



5. (Amended) A process according to claim 1 such that the f 

prime factors pi, p 2 to p f , have a size close to the size of the 
modulus n divided by the number f of factors . 
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6. (Amended) A process according to claim 1 such that to test 
the first condition, the compatibility of the numbers k, p, g is 
verified by implementing the algorithm of: 

by h is denoted a number such that 2 h divides the rank of g 
relative to p and such that 2 h+1 does not divide it, 

h is computed from the Legendre symbol (g|p) and from a 
number b equal to a 2 fc -th primitive root of the unit in CG (p) , 
if (g|p) = -1 then h = t 
if (g|p) = +1 with t = 1, then h = 0 

if (g|p) = +1 with t > 1, then the key ( (p- 1+2* ) /2 t_1 , p) 
is applied to G, a result w is thus obtained: 
if w = +g, then h = 0 
if w = p-g , then h = +1 

otherwise, the computation sub-modulus below is 
applied, by initializing the variable c attributing to it the 
value b, then iterating the following steps for values of i from 
t-1 to 2 : 

step 1) the key (2 1 ,p) is applied to w/g(modp), 
if the result obtained is equal to +1, continue to step 2, 
if the result obtained is equal to -1, the value i is attributed 

to h and w is replaced by w.c(modp), 

step 2) c is replaced by c (modp) , 

the value of h sought is that obtained the last time the 
application of the key (2 1 ,p) / in accordance with step 1, produced 
a result equal to -1. 

7. (Amended) A process according to claim 6 such that to test 
the second condition, a check is made that at least one set {5i.i 
... 5i.f} is variable or nil. 



Claim 8 remains unchanged. 
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9 . (Amended) A process according to claim 1 such that to 

compute the f.m private components Q±,j of the private values Q lt 
Q 2 ... Qm (Qi,j - Qi mod pj) , where Gi = mod n: 
if t = 1 (i.e. if Pj-3(mod4)): 

a number Sj is computed such that 
Sj =( (p j + l)/4 k (mod(p j -l) /2) , 
its key (Sj,p-j) is deduced, 
the key (Sj,p-j) is applied to Gi, 
so w =Gi S:i (modpj ) , and 

the two possible values of Qi,j are w, pj -w; 
if t = 2 (i.e. if pj=5(mod8)): 

a number Sj is computed such that 

s js ( (Pj + 3) /8 k (mod( Pj -l) /4) , 
its key ( Sj,p-j ) is deduced, 
the key ( Sj,p-j ) is applied to Gi, 
so w =Gi SD (modpj ) and w' =w . z (mod Pj), and 

the four possible values of Qi # j are w, Pj-w, w' , p-j-w' , 
if t>2 (i.e. if p j =2 t + l (mod2 t+1 ) ) and if h=0 or if h=l, 
a number Sj is computed such that 

Sj=(( Pj -l + 2 t )/2 t+1 ) k (mod(p j -l)/ 2 fc ) , 
its key < Sj,p-j ) is deduced, 
the key ( S j/Pj > is applied to Gi, 
so w =Gi SD (modpj) , 
the 2 min<k,t) possible values of Q ± ,j are equal to the product 
of w by any one of the 2 min(k ' t> -th roots of the unit in CG(pj) . 

if t>2 (i.e. if p j ~2 t + l (mod2 t+1 ) ) and if h>l and if h+k<t+l, 
Sj is computed such that 

S jp ((pj-1 4-2 t )/2 t+1 ) k+h - 1 (mod(p j -l)/ 2 fc ), 
its key ( Sj,p-j ) is deduced, 

the key ( Sj,pj ) is applied to the 2 h_1 -th power G ix 
so w is thus obtained, and 
the 2 k possible values of Qi # j belong to all the products of 
w by the 2 k+h_1 -th primitive roots of the unit in CG(pj) . 
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Claim 10 remains unchanged. 

11. (Amended) A process according to claim 1, of allowing the f 
prime factors p 1# p 2 ... Pf or the m base numbers g X/ g 2 ... g m to be 
produced : 

said process being intended to prove to a controller entity, 
the authenticity of an entity and/or 

the integrity of a message M associated with this entity, 
by means of m pairs of private Q 1# Q 2 ... Q m and public G lr G 2 , — 
G m values, where m is greater than or equal to 1) or parameters 
derived from them, particularly by means of the private 
components Qi,j: 

said process implementing an entity called a witness by: 
said witness entity having the f prime factors pi and/or the 
parameters of the values of the Chinese remainders of the prime 
factors, and/or the public modulus n and/or the m private values 
Qi and/or the f .m private components Q ifj of the private values Qi 
and the public exponent v; 

the witness computes commitments R in the ring of the 
integers modulo n: each commitment being computed: 

either by performing operations of the type 

R == r v mod n 
where r is a random number such that 0<r<n, 
or 

by performing operations of the type 

Ri = r± v mod pi 

where ri is a random number associated with the prime number 
Pi such that 0<ri<pi, each t± belonging to a collection of random 
numbers {r X/ r 2 ,to r f } , 

then by applying the method of Chinese remainders ; 

the witness receives one or more challenges d; each 
challenge d comprising m integers di hereinafter called 
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elementary challenges; the witness computes from each challenge d 
a response D, 

either by performing operations of the type 
D ^ r.Qx dl .Q 2 d2 to Q m dm mod n 



or 



by performing operations of the type 

„ _ dl _ d2 . _ dm , 

D± = ri.Qi,i .Qi, 2 to Q i#m mod p ± 
then by applying the method of Chinese remainders; 
said process being such that there are as many responses D 
as challenges d and commitments R, each group of numbers R, d, D 
constituting a triplet denoted {R,d,D}. 



Please add new claims 12-2 0 as follows: 

12 . (New) The process according to claim 2 such that the security 
parameter k is a small whole number, particularly less than 100. 

13 . (New) The process according to claim 2 such that the size of 
the modulus n is more than several hundred bits. 

14. (new) A process according to claim 2 such that the f prime 
factors pi, p2 to pf, have a size close to the size of the modulus 
n divided by the number f of factors. 

15. A process according to claim 2 such that to test the first 
condition, the compatibility of the numbers k, p, g is verified 
by implementing the algorithm of: 

by h is denoted a number such that 2 h divides the rank of g 
relative to p and such that 2 h+1 does not divide it, 

h is computed from the Legendre symbol (g|p) and from a 
number b equal to a 2 fc -th primitive root of the unit in CG(p), 
if (g|p) = -1 then h = t 
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if (g|p) = +1 with t = 1, then h = 0 

if (g|p) = +1 with t > 1, then the key ( (p-l+2 t ) /2 t_1 ,p) 
is applied to G, a result w is thus obtained: 
if w - +g, then h = 0 
if w = p-g, then h = +1 

otherwise, the computation sub-modulus below is 
applied, by initializing the variable c attributing to it the 
value b, then iterating the following steps for values of i from 
t-1 to 2 : 

step 1) the key <2 1 ,p) is applied to w/g(modp), and if the 
result obtained is equal to +1, continue to step 2, 

if the result obtained is equal to -1, the value i is 
attributed to h and w is replaced by w.c(modp), 

step 2) c is replaced by c 2 (modp) , 
the value of h sought is that obtained the last time the 
application of the key (2 1 ,p> / in accordance with step 1, produced 
a result equal to -1 . 

16. A process according to claim 3 such that the size of the 
modulus n is more than several hundred bits. 

17. A process according to claim 3 such that the f prime factors 
p X/ p 2 to p f/ have a size close to the size of the modulus n 
divided by the number f of factors. 

18. A process according to claim 3 such that to test the first 
condition, the compatibility of the numbers k, p, g is verified 
by implementing the algorithm of: 

by h is denoted a number such that 2 h divides the rank of g 
relative to p and such that 2 h+1 does not divide it, 

h is computed from the Legendre symbol (g|p) and from a 
number b equal to a 2 fc -th primitive root of the unit in CG(p), 
if (g|p) = -1 then h = t 
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if (g|p) = +1 with t = 1, then h = 0 

if (g|p) = +1 with t > 1, then the key ( (p-l+2 t ) /2 t_1 # p> 
is applied to G, a result w is thus obtained: 
if w = +g, then h = 0 
if w = p-g, then h = +1 

otherwise, the computation sub-modulus below is 
applied, by initializing the variable c attributing to it the 
value b, then iterating the following steps for values of i from 
t-1 to 2 : 

step 1) the key <2 1 ,p) is applied to w/g (modp) , and if the 
result obtained is equal to +1, continue to step 2, 

if the result obtained is equal to -1, the value i is 
attributed to h and w is replaced by w.c(modp), 

step 2) c is replaced by c 2 (modp) , 
the value of h sought is that obtained the last time the 
application of the key (2 1 ,p), in accordance with step 1, produced 
a result equal to -1. 

19. A process according to claim 4 such that the f prime factors 
Pi * P2 to p f , have a size close to the size of the modulus n 
divided by the number f of factors . 

20. A process according to claim 4 such that to test the first 
condition, the compatibility of the numbers k, p, g is verified 
by implementing the algorithm of: 

by h is denoted a number such that 2 h divides the rank of g 
relative to p and such that 2 h+1 does not divide it, 

h is computed from the Legendre symbol (g|p) and from a 
number b equal to a 2 fc -th primitive root of the unit in CG(p) , 
if (g|p) = -1 then h = t 
if (g|p) = +1 with t = 1, then h = 0 

if (g|p) = +1 with t > 1, then the key ( (p- 1+2*) /2 t ~ 1 , p> 
is applied to G, a result w is thus obtained: 
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if w = +g, then h = 0 
if w = p-g, then h = +1 

otherwise, the computation sub-modulus below is 
applied, by initializing the variable c attributing to it the 
value b, then iterating the following steps for values of i from 
t-1 to 2: 

step 1) the key <2 x ,p> is applied to w/g (modp) , and if the 
result obtained is equal to +1, continue to step 2, 

if the result obtained is equal to -1, the value i is 
attributed to h and w is replaced by w.c(modp) , 

step 2) c is replaced by c 2 (modp) , 
the value of h sought is that obtained the last time the 
application of the key <2\p>, in accordance with step 1, produced 
a result equal to -1. 
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REMARKS 

Favorable action is respectfully requested. 

The Director is authorized to charge any fee deficiency 
required by this paper or credit any overpayment to Deposit 
Account No. 23-1123. 

Respectfully submitted, 
WESTMAN, CHAMPLIN & KELLY, P. A. 

Robert M. Angus , R§fe . No. 24,383 
Suite 1600 - International Centre 
90 0 Second Avenue South 
Minneapolis, Minnesota 55402-3319 
Phone: (612) 334-3222 Fax: (612) 334-3312 

RMA: tas 
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MARKED-UP VERSION OF REPLACEMENT CLAIMS 

1. (Amended) A process intended to prove to a controller entity, 
— the authenticity of an entity and/or 

— the integrity of a message M associated with this entity; 
said process implementing: 

- a public modulus n constituted by the product of f prime 

factors px, p 2 - Pf , where 4f bcing is greater than or equal to 2-K_ 

or implementing the f prime factors; 

m different whole base numbers g x , g 2 -.- g m , where 4m 

be in gis greater than or equal to If, g± being less than the f 
prime factors p l7 p 2 ... Pf- ; 

m pairs of private Q 1# Q 2 , «. Qm and public Gi, G 2/ ... G m 
values , where 4m bcing is greater than or equal to 1-)- or | 
parameters derived from them; 

said modulus and said private and public values being 
connected by relations of the type: ^ 

Gi . Qi V === 1 . mod n or Gi - mod n ^ 

said public value G ± being the square g ± 2 of the base number, 

v denoting a public exponent of the form: 

k 

i 

where k is a security parameter greater than 1; 
the process according to the invention including the step of 
producing the f prime factors pi, p 2 ... p f and/or the m base 
numbers g 1# g 2 ... g m in such a way thatj_ the following con d ition er 
arc met . 

F i rst condition — :- 

According to the firot condition, a) each of the equations: 

x v — gi 2 mod n 

has solutions in x in the ring of the integers modulo n-j_ \ 
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S econd condition — s- 

b) where Gi = Q± v mod n, among the m numbers qi obtained by 

raising Q 1 to the square modulo n, k-1 times of rank, one of them 
is different from ± gi (in other words is nontrivial ) — _, and | 

where Gi.Qi V = 1 mod n, among the m numbers qi obtained by- 
raising the inverse of Qi to the square modulo n, k-1 times of 
rank, one of them is different from ± g± (in other words is 
nontrivial)-^ 

Thir d condition — t- \ 

c ) among the 2m equations: 

x 2 = g± mod n (2 ) 
x 2 = - g± mod n 434- 

at least one of them has solutions in x in the ring of the 
integers modulo n; 

the process according to the invention for producing the f | 
prime factors p l7 p 2 to p f and/or the m base numbers g lf g 2 to g m 
includes the step of choosing firstly : 
* the security parameter k 

« the m base numbers g 1# g 2 to g m and/or the f prime factors 
Pi, p 2 to p f . 

Claim 2 remains unchanged. 

3. (Amended) A process according to one of the claims- 1 or 2 | 

such that the security parameter k is a small whole number, 
particularly less than 100. 

4 . (Amended) A process according to any one of claims- 1 to 3 | 
such that the size of the modulus n is more than several hundred 
bits . 
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5. (Amended) A process according to any one of claims 1 to 4 
such that the f prime factors pi, p 2 to p f , have a size close to 
the size of the modulus n divided by the number f of factors. 

6 . (Amended) A process according to any one of claims 1 to 5 
such that to test the first condition, the compatibility of the 
numbers k, p, g is verified by implementing the algorith m given 
bclow of : 

- by h is denoted a number such that 2 h divides the rank of g 

relative to p and such that 2 h+1 does not divide it, 

— h is computed from the Legendre symbol (g|p) and from a 

number b equal to a 2 t -th primitive root of the unit in CG(p), 

* if (g|p) = -1 then h = t 

* if (g|p) - +1 with t = 1, then h - 0 

* if (g|p) - +1 with t > 1, then the key < (p- l + 2 fc ) /2 t_1 , p) 
is applied to G, a result w is thus obtained: 

«r o if w = +g, then h = 0 
m t if w = p-g, then h = +1 

„ ® otherwise, the computation sub-modulus below is 
applied, by initializing the variable c attributing to it the 
value b, then iterating the following steps for values of i from 
t-1 to 2: 

step the key <2 1 ,p) is applied to w/g (modp) , 

if the result obtained is equal to +1, go continue to step 2, 
*- if the result obtained is equal to -1, the value i is 
attributed to h and w is replaced by w.c(modp), 
step 22,-s- c is replaced by c (modp) , 

the value of h sought is that obtained the last time the 
application of the key (2\p), in accordance with step 1, produced 
a result equal to -1. 

(it way b e recall e d that 

k- t — g f p arc co mp atible when h>l and when k \ h>t \ 1 , 
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— ^ — g-/ p arc compatible when h=0 or 1, — whatever the value of k, 
or when h>l and when h\h<t \ l). 

(in oaid algorithm, — the Lcgcndrc symbol and t have the sense 
defined in the description) . 

7. (Amended) A process according to claim 6 such that to test 

the second condition, a check is made that at least one set {5i.i 
— 5i.f} is variable or nil— 

( 5 hao the ocnec defined in the dcocription) . 
Claim 8 remains unchanged. 

9. (Amended) A process according to any — one — e-f — claims- 1 fee — 8- 
such that to compute the f.m private components Qi,j of the 
private values Q lf Q 2 ... Q m (Qi,j = Qi mod pj) , where Gi = mod n: 
if t - 1 (i.e. if pj=3(mod4)): 

»— a number Sj is computed such that Sj=((pj + l)/4 (mod(p-j- 
D/2) , 

« _™__its key (Sj,p-j) is deduced, 

* __the key (Sj,p-j) is applied to Gi, 

* we thus h av e : — so w =G± S1 (modpj) , and 

* the two possible values of Qi,j are w, pj -w~_^ 

if t = 2 (i.e. if Pj=5 (mod8) ) : 

■m a number Sj is computed such that Sj=((pj+3)/8 (mod(pj- 
D/4), 

* its key ( Sj,pj ) is deduced, 

* the key ( s jf pj } is applied to G±, 

• we thue have : so w =Gi S: (modpj ) and w' =w . z (mod Pj ) / and 

* the four possible values of Qi,j are' w, pj - w, w' , pj - 

w' , 

4^b oaid algori thm 2 has feke sense defined in the 

d e scription) . 

- if t>2 (i.e. if p j -2 t +l (mod2 t+1 ) ) and if h=0 or if h=l,-v 
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w a number Sj is computed such that Sj=((p-j-l | 
+ 2 t )/2 t+1 ) k (mod( Pj -l)/ 2 t ) , 

* its key ( Sj,p-j ) is deduced, 

* the key ( Sj,pj ) is applied to Gi, ; 
v wc thua have : — so w =G± SJ (modpj ) — , 

w the 2 min(k,t) possible values of Q i#j are equal to the 

product of w by any one of the 2 min(k ' t) -th roots of the unit in 
CG(pj) . 

— if t>2 (i.e. if pj^+l (mod2 t+1 ) ) and if h>l and if h+k<t+l, \ 
« Sj is computed such that Sj=((pj-1 +2 t ) /2 t+1 ) k+h_1 (mod (pj - 
1)/ 2 fc ) , 

« its key ( Sj,pj ) is deduced, 

« the key ( Sj,pj ) is applied to the 2 h_1 -th power Gi, 

* so__w is thus obtained , and 

w the 2 k possible values of Q ±/ j belong to all the 
products of w by the 2 k+h_1 -th primitive roots of the unit in 
CG(pj) . 

Claim 10 remains unchanged. 

11. (Amended) A process applying — the pr oces s, — according to a^y 
one of the claims- 1 to 8 , of allowing the f prime factors pi, p 2 
... p f or the m base numbers gi, g 2 ... g m to be produced: 

said process being intended to prove to a controller entity, 

— the authenticity of an entity and/or 

— the integrity of a message M associated with this entity, 
by means of m pairs of private Q 1# Q 2 .„ Q m and public Gi, G 2 , »• 

G m values , where 4m bcin gis greater than or equal to 1) or | 
parameters derived from them, particularly by means of the 
private components Qi,j: 

said process implementing according to the otepe hereinafter 
an entity called a witness by:^ - 

said witness entity having the f prime factors p± and/or the 
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parameters of the values of the Chinese remainders of the prime 
factors^ and/or the public modulus n and/or the m private values | 
Qi and/or the f .m private components Qi,j of the private values Q± 
and the public exponent v; 

the witness computes commitments R in the ring of the | 

integers modulo n : each commitment being computed: 

* either by performing operations of the type 

R == r v mod n 

where r is a random number such that 0<r<n, 

* or 

* « by performing operations of the type 

R± - ri v mod pi 

where r± is a random number associated with the prime number 
Pi such that 0<ri<pi, each r± belonging to a collection of random 
numbers {r 1# r 2 ,to r f } # 

* • then by applying the method of Chinese remainders; 

— the witness receives one or more challenges d; each 
challenge d comprising m integers di hereinafter called 
elementary challenges; the witness computes from each challenge d 
a response D, 

« either by performing operations of the type 

D ^ r.Q 1 dl .Q 2 d2 to Q m dm mod n 

* or 

* * by performing operations of the type-e- 

_ dl _ d2 _ dm , 

Di = ri.Qi,i .Q i|2 to Q i<m mod p ± 
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♦ w then by applying the method of Chinese remainders; 

said process being such that there are as many responses D 
as challenges d and commitments R, each group of numbers R, d, D 
constituting a triplet denoted {R,d,D}. 
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SET OF SPECIAL KEYS INTENDED TO PROVE THE AUTHENTICITY 
OF AN ENTITY OR THE INTEGRITY OF A MESSAGE 

The present invention relates to the technical 
field of the process, systems and devices intended to 
prove the authenticity of an entity and/or the integrity 
and/or the authenticity of a message. 
5 The patent EP 0 311 470 Bl whose inventors are 

Louis Guillou and Jean-Jacques Quisquater describes such 
a process. Reference will be made hereinafter to their 
work by the terms: "GQ patent" or "GQ process". 
Hereinafter the terms "GQ2", "GQ2 invention" or "GQ2 

10 technology" will sometimes be used to denote new 
developments in GQ technology which are subject to 
applications pending filed on the same day as the 
present application by France Telecom, TDF and the 
Mathrizk Company and having Louis Guillou and Jean- 

15 Jacques Quisquater as inventors. The characteristic 
features of these pending applications are recalled 
whenever it is necessary in the following description. 

According to the GQ process, an entity called a 
"trusted authority" assigns an identity to each entity 

20 called a "witness" and computes its RSA signature: 
during a customizing process, the trusted authority 
gives the witness an identity and signature. Thereafter, 
the witness states: "Here is my identity; I know its RSA 
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signature." The witness proves without revealing it that 
he knows the RSA signature of his identity. By means of 
the RSA public verification key distributed by the 
trusted authority, an entity called a "controller" 
5 verifies without obtaining knowledge thereof that the 
RSA signature corresponds to the declared identity. The 
mechanisms using the GQ process operate "without 
transfer of knowledge". According to the GQ process, the 
witness does not know the RSA private key with which the 

10 trusted authority signs a large number of identities. 

The GQ technology previously described uses RSA 
technology. But if RSA technology truly depends on the 
factorization of the modulus n, this dependence is not 
an equivalence, far from it, as is shown by the so- 

15 called "multiplicative" attacks against the different 
digital signature standards implementing RSA technology. 

The objective of GQ2 technology is twofold: on the 
one hand, to improve performance relative to RSA 
technology; on the other hand, to avert the problems 

20 inherent in RSA technology. Knowledge of the private GQ2 
private key is equivalent to knowledge of the 
factorization of modulus n. Any attack at the level of 
the GQ2 triplets goes back to the factorization of 
modulus n: this time there is equivalence. With GQ2 

25 technology, the work load is reduced, both for the 
entity which signs or which authenticates itself and for 
the one that controls. By making better use of the 
factorization problem, both in security and in 
performance, GQ2 technology avoids the drawbacks 

30 presented by RSA technology. 

The GQ process implements modulo computations of 
numbers of 512 bits or more. These computations relate 
to numbers having approximately the same size raised to 
powers of about 2 16 + 1. Existing microelectronic 

35 infrastructures, particularly in the field of bank 
cards, use monolithic self -programmable microprocessors 
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without arithmetical coprocessors. The work load 
associated with the multiple arithmetical operations 
involved in processes like the GQ process leads to 
computation times which in some cases prove to be 
5 disadvantageous for consumers using bank cards to pay 
for their purchases. It is recalled here, that in 
seeking to increase the security of payment cards, the 
banking authorities have raised a problem which is 
particularly difficult to resolve. Indeed two apparently 

10 contradictory questions have to be resolved: increase 
security by using increasingly lengthy and distinct keys 
for each card while preventing the work load from 
leading to excessive computation times for users. This 
problem becomes especially acute insofar as, 

15 additionally, the existing infrastructure and existing 
microprocessor components should be taken into account. 

GQ2 technology brings a solution to this problem 
while tightening security . 

GQ2 technology implements prime factors having 

20 particular properties. Different technologies exist to 
produce these prime factors. The subject of the present 
invention is a process making it possible to produce 
prime factors of this kind systematically. It also 
relates to the application which can be made of them 

25 more particularly in implementing the GQ2 technology. It 
is stressed here and now that these particular prime 
factors and the process allowing them to be obtained can 
be applied outside the field of GQ2 technology. 

The invention applies to a process intended to 

30 prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this 
entity . 

Such a process implements: 
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- a public modulus n constituted by the product of 
f prime factors pi, p 2 ... Pf (f being greater than or 
equal to 2) or implementing the f prime factors, 

- m different whole base numbers g lf g 2 ... g m (m 
5 being greater than or equal to 1) , gi being less than the 

f prime factors p lf p 2 ... Pf 

- m pairs of private Q lr Q 2 , ... Q m and public G lf G 2 , 
... G m values (m being greater than or equal to 1) or 
parameters derived from them. 

10 Said modulus and said private and public values are 

connected by relations of the type: 

Gi.Qi V = l.mod n or Gi = Qj. v mod n 

15 said public value G ± being the square g ± 2 of the base 
number, v denoting a public exponent of the form: 

v=2 k 

20 where k is a security parameter greater than 1. 

The process according to the invention includes the 
step of producing the f prime factors p lr p 2 ... p f and/or 
the m base numbers g x , g 2 ... g m in such a way that the 
following conditions are met. 
25 First condition: 

According to the first condition, each of the 
equations : 

X v = g^mod n (1) 

30 

has solutions in x in the ring of integers modulo n. 
Second condition: 

According to the second condition, where Gi = Qi V 
mod n, among the m numbers qi obtained by raising Q r to 
35 the square modulo n, k-1 times of rank, one of them is 
different by ± gi (in other words is nontrivial) . 
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According to the second condition, where G-t . Qi V = 
l.mod n, among the m numbers q x obtained by raising the 
inverse of Qi modulo n to the square modulo n, k-1 times 
of rank, one of them is different by ± gi (in other words 
5 is nontrivial) . 

It is hereby stated that according to a common 
notation ± g ± represents the numbers gi and n-g ± . 
Third condition: 

According to the third condition, among the 2m 
10 equations: 

X 2 = gi mod n (2) 
X 2 = ~ gi mod n (3) 

15 at least one of them has solutions in x in the ring of 
integers modulo n. 

The process according to the invention for 
producing the f prime factors p lf p 2 ... Pf and/or the m 
base numbers g lr g 2 ... g m includes the step of choosing 

20 firstly: 

• the security parameter k 

• the m base numbers g lf g 2 ... g m and/or the f 
prime factors p lf p 2 ... Pf, according to whether it is a 
matter of producing the f prime factors p lf p 2 ... Pf/ or 

25 the m base numbers g x , g 2 ... g m . 

Preferably, the m base numbers g lf g 2 ... g m are 
chosen at least partly among the first whole numbers. 

Preferably, the security parameter k is a small 
whole number, particularly less than 100, 
30 Preferably, the size of the modulus n is larger 

than several hundred bits. 

Preferably, the f prime factors p x , p 2 ... p f , have a 
size close to the size of the modulus n divided by the 
number f of factors. 



To test the first condition, the compatibility of 
the numbers k, p, g is verified by implementing the 
algorithm given below, where h denotes a number such 
that 2 h divides the rank of g relative to p and such that 
2 h+1 does not divide it. h is computed from the Legendre 
symbol (glp) and from a number b equal to a 2 fc -th 
primitive root of the unit in CG(p), where the Legendre 
symbol (g x lpj) and t have the sense defined hereinafter 
in the description. 

Here are the steps of this algorithm: 

• if (glp) = -1 then h = t 

• if (glp) = +1 with t = 1, then h = 0 

• if (glp) = +1 with t > 1, the procedure is as 
follows . 

The key < (p-1+2 1 ) /2 t+1 , p> is applied to G, a result w 
is thus obtained: 

• if w = +g, then h = 0 

• if w = p-g, then h - +1. 

If w is different from +g or from p-g (in this case 
t is greater than 2) , a computation sub-modulus is 
applied. The variable c is initialised attributing to it 
the value b, then the following steps of the computation 
sub-modulus are iterated for values of i running from t- 
1 to 2: 

Step 1: the key (2 1 ,p) is applied to w/g(modp), 

• if the result obtained is equal to +1, go to step 

2, 

• if the result obtained is equal to +1, the value 
i is attributed to h and w is replaced by w.c(modp), 

Step 2: c is replaced by c (modp) , 

The value of h sought is that obtained the last 
time the application of the key (2\p) , in accordance 
with step l r produced a result equal to -1. 

It may be remembered that: 

k, g, p are incompatible when h>l and when 

k+h>t+l, 
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- k, g, p are compatible when h^O or 1, whatever 
the value of k, or when h>l and when k+h<t+l. 

To test the second condition, a check is made that 
at least one set {5 ia ... 8 i/f } is variable or nil, (8 has 
5 the sense defined hereinafter in the description) . 

To test the third condition, a check is made that 
there is a base number gi from g ± to g m such that the f 
Legendre symbols (gjpi) to (gjpf) are all equal to +1 
or else the Legendre symbols (-gjpi) to (-gjpf) are all 
10 equal to +1. 

To compute the f.m private components Q lfj of the 
private values Q lf Q 2 ... Q m (Qi,j = Qi mod Pj)' where Gi = Qj 
mod n, the procedure is as follows, distinguishing the 
cases according to the values of t. 
15 Where t = 1 (i.e. if Pj=3(mod4)). 

• a number Sj is computed such that 
Sj =( (Pj + 1) /4 k (mod( Pj -l) /2) , 

• its key < Sj,Pj > is deduced, 

• the key < s jf pj > is applied to G ± , 
20 • we thus have: w ^Gi 53 (modp 3 ) . 

The two possible values of Q X/j are w, pj -w. 
Where t = 2 (i.e. if Pj=5(mod8)). 

• a number Sj is computed such that 
Sj =( ( Pj + 3) /8 k (mod(p j -l) /4) , 

25 • its key ( Sj,pj > is deduced, 

• the key ( Sj,p-j ) is applied to G ± , 

• we thus have: w =Gi Sj (modpj ) and w' =w . z (mod 

Pj) f 

where z has the sense defined hereinafter in the 
30 description. 

The four possible values of Q ifj are w, pj - w, w' , 
Pj - W . 

Where t>2 (i.e. if p j =2 t + l (mod2 t+1 ) ) with h=0 or with 

h=l, 

35 • a number Sj is computed such that 

Sj =(( Pj -l +2 fc ) /2 t+1 ) k (mod( Pj -l) / 2 t ) , 
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• its key ( Sj,Pj } is deduced, 

• the key ( Sj,Pj } is applied to Gi, 

• we thus have: w =G± SJ (modpj ) . 

The 2 min(k,t) possible values of Q^j are equal to the 
5 product of w by any one of the 2 min(k ' t} -th roots of the 
unit in CG (pj ) . 

- where t>2 (i.e. if p j =2 t + l (mod2 t+1 ) ) with h>l and 
with h+k<t+l, 

• s-, is computed such that Sj=((p D -l 
10 +2 t )/2 t+1 ) k+h - 1 (mod(p D -l)/ 2*-), 

• its key (s-,,Pj) is deduced, 

• the key (s jf pj) is applied to the 2 hl -th power 

Gi, 

• w is thus obtained, 

15 The 2 k possible values of Q X/j belong to all the 

products of w by the 2 k+h_1 -th primitive roots of the unit 
in CG (pj) . 

To compute the private components Q ±r3 where Gi.Qj. v = 
l.mod n, Sj is replaced by ((Pj-1)/ 2 t ) - Sj in the key 
20 <s j/ p 3 >. 

The invention also relates to a process applying 
the method allowing the f prime factors p lf p 2 ... Pf or 
the m base numbers g lf g 2 ... g m to be produced. 

Said process is intended to prove to a controller 
25 entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this 
entity, 

by means of m pairs of private Q lf Q 2 ... Q m and public 
30 Gi, G 2 , ... G m values (m being greater than or equal to 1) 
or parameters derived from them, particularly by means 
of the private components Q±,j. 

Said process implements according to the steps 
below an entity called a witness. 
35 Said witness entity has the f prime factors p x 

and/or the parameters of the Chinese remainders of the 
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prime factors and/or the public modulus n and/or the m 
private values Q x and/or the f.m private components Q ifj 
of the private values Q ± and the public exponent. 

The witness computes commitments R in the ring of 
5 integers modulo n. Each commitment is computed: 

• either by performing operations of the type 

R = r v mod n 

10 where r is a random number such that 0<r<n, 

• or by applying the method of Chinese 
remainders after performing operations of the type 
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R i s r x mod p L 



where r x is a random number associated with the prime 
number p x such that (Kr^Pi, each r± belonging to a 
collection of random numbers {r 1# r 2 ,to r f }. 

The witness receives one or more challenges d. Each 
20 challenge d comprising m integers d ± hereinafter called 
elementary challenges. The witness computes from each 
challenge d a response D, 

• either by performing operations of the type 

25 D = r.Q! dl .Q 2 d2 to Q m dm mod n 

• or by applying the method of Chinese 
remainders after performing operations of the type 

30 Di = ri.Q 1# i dl .Qi, 2 d2 Qi, m dm mod Pi 

Said process is such that there are as many 
responses D as challenges d and commitments R. Each 
group of numbers R, d, D constitutes a triplet denoted 
35 {R,d,D}. 

Description 
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The goal of GQ technology is the dynamic 
authentication of entities and messages and the digital 
signature of messages. It is technology ''without 
transfer of knowledge". One entity proves: it knows one 
5 or more private numbers. Another entity controls: it 
knows the corresponding public number or numbers. The 
proving entity wishes to convince the controlling entity 
without revealing the private number or numbers, so as 
to be able to use them as many times as necessary. 

10 Each GQ pattern is based on a public modulus 

composed of large secret prime numbers. A public 
exponent v and a public modulus n together form a 
verification key {v, n) signifying ''raise to the power v 
modulus n" and implementation by means of one or more 

15 generic equations, all of the same direct type: G = Q v 
(mod n) or the reverse: GxQ v = 1 (mod n) . The type has an 
effect on the operation of computations within the 
controlling entity, not within the proving entity; in 
fact the security analyses confuse the two types. Each 

20 generic equation links a public number G and a private 
number Q together forming a pair of numbers {G,Q}. To sum 
up, each GQ pattern implements one or more pairs of 
numbers {G,Q} for the same key (v, n) . 

A conventional version of GQ patterns, here called 

25 GQ1, uses an RSA digital signature pattern. The 
verification key (v, n) is then an RSA public key where 
the uneven v exponent is preferably a prime number. Each 
GQ1 pattern generally uses a single pair of numbers 
{G,Q}\ the public number G is deduced from identification 

30 data according to a format mechanism which is an 
integral part of the RSA digital signature pattern. The 
private number Q or else its inverse modulo n is an RSA 
signature of identification data. The proving entity 
demonstrates knowledge of an RSA signature from its own 

35 identification data and this proof does not reveal the 
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signature which therefore remains secret so as to be 
used as many times as necessary. 

GQ1 patterns usually apply to two key levels: the 
RSA signature private key is reserved for an authority 
5 accrediting entities distinguishing themselves from each 
other via identification data. It is said that such a 
pattern is "identity based". Thus, a chip card issuer 
uses his RSA private key when issuing each card in order 
to compute a private number Q which it inscribes as a 

10 diversified private key in the card; or else, a customer 
on a computer network uses his RSA private key whenever 
logging on in order to compute a private number Q which 
will be the customer' s ephemeral private key during the 
session. The proving entities, chip cards or customers 

15 logged on, know an RSA signature of their identification 
data; they do not know the RSA private key which, in the 
hierarchy of keys, is at the level immediately above. 
However a dynamic authentication of entities by GQ1 with 
a 7 68 bit modulus at the level of an authority requires 

20 approximately the same work load as a dynamic 
authentication of entities by RSA with a 512 bit modulus 
with three prime factors at the level of each entity, 
which allows the proving entity to use the technique of 
Chinese remainders by computing a result modulo each of 

25 the prime factors before computing a result modulo the 
product . 

However, the hierarchy of keys between an authority 
and the accredited entities is not mandatory. GQ1 may 
be used with a modulus particular to the proving entity, 

30 which allows the technique of Chinese remainders to be 
used to reduce the work loads of the proving entity, 
which does not fundamentally change the work load of the 
controlling entity, apart from the fact that a modulus 
at proving entity level may be shorter than a modulus at 

35 authority level, for example 512 bits compared with 768 
bits . 
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When the entity knows the prime factors of its own 
modulus, why use a digital signature RSA pattern? 

Another version of GO patterns, here called 
elementary G02 uses directly the problem of the 
5 factorization of a modulus n. In this context, 
"directly" signifies "without using the RSA signature". 
The purpose of GQ2 is in fact to reduce the work loads, 
not only of the proving entity but also of the 
controlling entity. The proving entity demonstrates 

10 knowledge of a decomposition of its own modulus and this 
proof does not reveal the decomposition which therefore 
remains secret to be used as many times as needed. The 
security of the GQ2 protocol is equivalent to the 
factorization of the modulus. 

15 Each proving entity has its own modulus n. Each GQ2 

pattern implements a parameter k, a small number larger 
than 1 fixing a public exponent v=2 k , and one or more 
pairs of numbers {G lf Q ± } to {G m ,Q m }. Each public number G 2 
is the square of a small number g 1 larger than 1 and 

20 called a "base number". All the proving entities may use 
the same public number or numbers Gj to G m . The 
factorization of the modulus n and the private number or 
numbers Q x to Q m are then at the same level in the 
hierarchy of keys. Each set of G02 eleme ntary keys is 

25 defined by two necessary and sufficient conditions. 

For each base number, x neither of the two 
equations x = ±g± (mod n) has a solution in x in the ring 
of the integers modulo n, i.e. the numbers ±g± are two 
non-quadratic residues modulo n. 

30 - For each base number, the equation x v = g ± 2 (mod 

n) where v = 2 k has solutions in x in the ring of the 
integers modulo n. The private number Q 2 or its inverse 
modulo n is either of these solutions. 

Given the second condition, for the numbers ±g± to 

35 be two non-quadratic residues modulo n, the modulus n 
must comprise at least two prime factors congruent with 



3 (mod 4) relative to which the g 2 Legendre symbol 
differs. Consequently, any modulus composed of prime 
factors none or one of which is congruent with 3 (mod 4) 
does not allow a set of GQ2 elementary keys to be 
established, which favours prime factors congruent with 
3 (mod 4). Drawing at random large prime numbers, about 
half of them prove to be congruent with 3 (mod 4) and 
half with 1 (mod 4) . Therefore, many RSA moduli in use 
do not allow sets of elementary GQ2 keys to be 
established. 

We introduce here the sets of G02 generalized keys 
use to overcome this limitation so as to be able to use 
GQ2 techniques with any modulus, in particular any RSA 
modulus; they are based on two necessary and sufficient 
principles . 

The first principle reproduces the second GQ2 
elementary condition . 

For each base number g x to g m , the equation x v =g ± 2 
(mod n) where \r=2 k has solutions in x in the ring of the 
integers modulo n. 

Because the private number Q ± or else its inverse 
modulo n is a solution to the equation, k-1 successive 
squares modulo n, convert it into a number q ± which is a 
square root of Gi in the ring of the integers modulo n. 
According to whether the number qi is equal to one of the 
two numbers g± or n-g ir or different from the two numbers 
g 2 and n~g if we say that it is trivial or nontrivial . 

2 2 

When a number q± is nontrivial, n which divides qi -g± 
divides neither q±-g± nor q±+g±* Any nontrivial number q ± 
therefore reveals a decomposition of the modulus n. 

n=pgcd ( n , q ± -g ± ) xpgcd ( n , q x + g ± ) 



The second principle broadens the first GQ2 
elementary condition . 
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Among the numbers to g m at least one number q ± is 
nontrivial . 

Let us note that if a number q± exists when the 
numbers ±g ± are two non-quadratic residues in the ring of 
5 the integers modulo n, the number q± is manifestly 
nontrivial. So, the sets of elementary GQ2 keys are 
fully part of the sets of GQ2 keys in general use which 
allow any modulus to be used, i.e. any composition of 
large prime numbers congruent irrespectively with 3 or 
10 with 1 (mod 4) at least two of which are distinct. On 
the other hand, many sets of GQ2 keys in . general use are 
not sets of GQ2 elementary keys. Each set of GQ2 keys in 
general use is in one of the two following cases. 

- When the 2x/n numbers ±g ± to ±g m are all non- 
15 quadratic residues, it is a set of GQ2 elementary keys. 

- When among the 2xm numbers ±g 2 to ±g mr there is at 
least one quadratic residue, it is not a set of GQ2 
elementary keys; it is what we call here a set of GQ2 
complementary keys . 

20 The present invention relates to sets of GQ2 

complementary keys , by definition, those sets of GQ2 
keys in general use which are not elementary. Apart 
from the two previous principles, a set of this kind 
must satisfy a third principle. 

25 - Among the 2xi?? numbers ±gi to ±g mr there is at 

least one quadratic residue. To apprehend the problem 
and to understand the solution that we are providing for 
it, i.e. the invention, let us firstly analyse the 
decomposition of the modulus n revealed by a nontrivial 

30 number g, then let us remind ourselves of the technique 
of Chinese remainders, then, the notion of rank in a 
Galois field CG(p); then, let us study the functions of 
"raise to square" in CG(p) and "take a square root" of a 
quadratic residue in CG (p) ; lastly, let us analyse the 

35 applicability of the three principles stated above. 
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Analysis of the decompositions of the modulus- Just 
as the modulus n decomposes into / prime factors p 2 to 
p f , the ring of the integers modulo n decomposes into f 
Galois fields CG(pi) to CG (p f ) . In each field, there are 
5 two square roots of the unit, namely ±1. In the ring, 
there are therefore 2 f square roots of the unit. Each 
private number Q x to Q m defines a number A i =q 1 /g 1 (mod n) 
which is one of these 2 f square roots of the unit in the 
ring: in other words, n divides A ± -1. 
10 • When q ± is trivial, i.e. A± = ±1, n divides Aj-1 

or else Ai+1 and therefore A x does not reveal any 
decomposition of modulus n. 

• When q ± is nontrivial, i.e. A ± & ±1, n divides 
neither A i -1 nor A ± +l and therefore A s reveals a 
15 decomposition, n=pgcd (n, Ai~l ) Xpgcd (n, Ai+1 ) , resulting 
from the value of Ai in each field: the prime factor or 
factors dividing A^l on the one hand, it or they 
dividing Ai+1 on the other. 

Let us examine the multiplicative composition rules 
20 of the numbers g. Two numbers {qj/q 2 } give one composite 
number q 2 x q 2 (mod n) . 

- when q 2 is nontrivial and q 2 trivial, the 
composite number q x x q 2 (mod n) is nontrivial; it 
reveals the same decomposition as q x . 

25 - when q x and q 2 are nontrivial and A 1 =±A 2f the 

composite number q x x q 2 (mod n) is trivial; it reveals 
no decomposition . 

- when q 2 and q 2 are nontrivial and Aj^+A^, the 
composite number q x x q 2 (mod n) is nontrivial; it 

30 reveals a third decomposition. 

Three numbers {c^ , q 2/ q 3 } give four composite numbers 

{<Ji x <l2f <?j x <33, <J2 xg 3 / qi x %2 x gj (mod n)}, i.e. a total 

of seven numbers; m numbers thus give 2 /73 -m-l composite 

numbers, i.e. a total of 2 m -l numbers. 
35 Let us consider a set of GQ2 keys in general use 

comprising i base numbers and g 1 to q± and i private 
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numbers Q x to Q x giving i numbers q 1 to gi and therefore 
i numbers A x to A 2 which are roots of the unit. Let us 
seek to take into account another base number g i+1 by a 
private number Q i+1 giving a number g i+1 and therefore a 
5 root A i+1 . 

• The total of 2 1+1 -1 numbers comprises as many 
nontrivial numbers in each of the two following cases. 

- The root A i+1 is trivial and at least one root A : 
to A ± is nontrivial. 
10 - The root A i+1 is nontrivial and figures among the 

2xi roots ±A 1 to ±A ± . 

• Where the root A i+1 is nontrivial and does not 
figure among the 2xi roots ±A 1 to ±A if each composite 
number where q i+1 figures is nontrivial. 

15 Consequently when among m numbers gi to q m , at least 

one is nontrivial, more than half the total of the 2 /n -l 
numbers are nontrivial. 

By definition, we say that 1 < f nontrivial numbers 
{<Ji/<72/ - <li} are independent relative to the modulus n 

20 when each of the 2 i -l-l corresponding composite numbers 
is nontrivial, in other words that, in total, the 2 i -l 
numbers are all nontrivial. Each of these 2 1 -! numbers 
then reveals a different decomposition of the modulus n. 
When the / prime factors are distinct, there are 2 J 

25 x -l decompositions of the modulus n. Then, if f-1 numbers 
q are independent, there is a one-to-one correspondence 
between the 2^ _1 -1 decompositions and a total of 2^ 1 -1 
numbers including the f-1 independent numbers and the 2 J 
l -f corresponding composite numbers. 

30 Chinese remainders - Let two numbers a and £> be 

prime between themselves such that 0<a<b, and two 
numbers X a from 0 to a-1 and X b from 0 to Jb-1; it is a 
matter of determining the unique number X from 0 to axb- 
1 such that X a E=x(moda) and X b =X (modb) . The number 

35 a={b (moda) } _1 (mod a) is the parameter of the Chinese 
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remainders. Here is the elementary operation of Chinese 
remainders . 

x = X b (moda) 

5 y = x a - x; if y is negative, replace y by y+a 

z s axy (moda) 
X = zxb + X b 

To sum up, we write: X = Chinese Remainders (X a ,X b ) . 
10 When / prime factors are put into ascending order, 

from the smallest p 1 to the largest pf, the parameters of 

the Chinese remainders may be the following (there is 
one less than prime factors, i.e. /-I). 

The first parameter is ot=(p 2 (modpi) ) ~ 1 (modpi) . 
15 The second parameter is p= (p x xp 2 (modp 3 ) ) _1 (modp 3 ) 

The i-th parameter is A, = (pix..p±. 1 (modpi) ~ (modpi) • 

And so on. 

In f-1 elementary operations, a number X is 
established from 0 to n-1 from any set of / components 
20 from X 1 to Xf with Xf f rom 0 to p/-l; 

a first result (mod PiXp 2 ) with the . first 
parameter, 

- then, a second result (mod Pixp 2 xp 3 ) with the 

second parameter, 
25 - up to the final result (mod n= Pixp 2 x...pf) with the 

last parameter. 

To sum up, given the prime factors p x to pf, each 

element of the ring of the integers modulo n has two 
equivalent representations : 
30 - / numbers X x to Xf, one component per prime factor 

: Xf = X(modp/) , 

a number X from 0 to n-1, X = Chinese remainders 
(Xi, X 2 , to X/) . 

Rank of numbers in CG(p) - Let there be an uneven 
35 prime number p and a number a smaller than p, i.e. 
0<a<p. By definition, the rank of ■ a relative to p is the 
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period of the stream {X} defined by {x 1 = a; then, for 
±>1, x 1+1 =axxp (modp) } . By means of the Fermat theorem, we 
obtain: x I+p =a p xx i =axx i =x i+ i (modp) . Consequently, the rank 
of a number a relative to a prime number p is p-1 or a 
5 divisor of p-1. 

For example, when (p-l)/2 is an uneven prime number 
p' , the Galois field CG(p) comprises a number of rank 
1: this is 1, a number of rank 2: this is -1, p'-l 
numbers of rank p' and p'-l numbers of rank 2Xp'=p-l. 

10 In CG(p), any number of rank p-1 is a "generator". The 
denomination is due to the fact that the successive 
powers of a generator in CG(p) i.e. the terms of the 
stream {X} for the indices from 1 to p-1, form a 
permutation of all the non nil elements of CG(p). 

15 Let there be a generator y of CG(p). Let us 

evaluate the rank of the number y (modp) as a function 
of i and of p-1. When i is prime with p-1, it is p-1. 
When i divides p-1, it is (p-l)/i. In all cases, it is 
(p-1) /pgcd (p-1, i) . 

20 By definition, the Euler function <p(n) is the 

number of numbers smaller than n and prime with n. In 
CG(p), there are cp(p-l) generators. 

By way of illustration, the rank gives a good 
understanding of the bases of the RSA. The modulus n is 

25 the product of / prime factors p x to pf with f>2 . For 
each prime factor pj from p x to pf the public exponent e 

must be prime with p-j-1. Then, the key {e,Pj) respects the 
rank of the elements of CG (pf) : it permutates the 

elements of CG(p J ); there exists a number d jf generally 
30 the smallest possible, such that Pj-1 divides eXd^-1. The 
key {dj,Pj) inverts the permutation of the elements of 
CG(pj). These / permutations, one in each field CG(pi) to 
CG(pf) are expressed in the ring of the integers modulo 

n by the RSA permutation summarised by the public key 
35 (e,n). There exists a number d, generally the smallest 
possible, such that ppcm (pi~l , p 2 -l , - P/ _1 > divides dXe- 
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1. For each prime factor pj from p x to p/ we have dj=d 
(mod pf-1) • The RSA permutation summarised by the public 
key (e,n> is inverted by the private key <d,n). 

Squares in CG(p) - Let us define a number t such 
5 that p-1 is divisible by 2 t r but not by 2 t+1 . Each large 
prime number figures in one category and one alone: t=l, 
t=2, t=3, t=4, and so on. If a sufficiently large number 
of successive prime numbers is considered, about one in 
two figures in the first category where p is congruent 

10 with 3 (mod 4), one in four in the second where p is 
congruent with 5 (mod 8) , one in eight in the third 
where p is congruent with 9 (mod 16) , one in the 16 in 
the fourth where p is congruent with 17 (mod 32), and so 
on; on average, one in 2 L figures in the t-th category 

15 where p is congruent with 2 t +l (mod 2 t+1 ) . 

Because the numbers x and p-x have the same square 
in CG(p), the key <2,p> does not permutate CG(p). The 
"raise to square" function in CG (p) may be represented 
by an oriented graph where each non nil element of the 

20 field has its place. Let us analyse the structure of the 
graph in branches and in cycles according to the parity 
of the rank of each element. 

- The nil element is fixed. It is 0. The rank is 
not defined for the nil element to which no other 

25 element is connected; the nil element is isolated. 

- The unit element is fixed. It is 1, the only 
element of rank one. All the roots of the unit in CG (p) 
are in the branch connecting to 1. Let y be a non- 
quadratic residue of CG (p) , no matter which; the key 

30 ((p-1) /2 t ,p) converts y into a 2 t ~ 1 -th primitive root of -1 
denoted by b; in fact, we have y <p_1> /2 =-l (modp) . 
Consequently, in CG(p), the powers of b for the 
exponents from 1 to 2 t ~ 1 are the 2 t ' 1 roots of the unit 
other than 1: they compose the branch connecting to 1. 
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- The square of any element of even rank is another 
element whose rank is divided by two . Consequently, each 
element of even rank is placed in a branch; each branch 
comprises a rank number divisible by two but not by 
5 four, then, if t>2, two numbers of rank divisible by 
four but not by eight, then, if t>3, four numbers of 
rank divisible by eight but not by sixteen, then, if 
t>4, eight numbers of rank divisible by sixteen but not 
by 32, and so on. All the branches are similar to the 
10 branch connected to 1; the 2 t_1 leaves of each branch are 
non-quadratic residues; each branch comprises 2 fc -l 
elements and is connected to an element of uneven rank; 
there are (p-l)/2 fc branches which all have the same 
length t. 

15 - The square of any element of uneven rank other 

than the unit element is another element having the same 
rank. The key (2,p) permutates all the (p-l)/2 fc elements 
of uneven rank. The permutation decomposes into 
permutation cycles. The number of cycles depends on the 

20 factorization of (p-l)/2 t . For each divisor p' of (p- 
1)/2 C , there is a cycle comprising the (p(p') elements of 
rank p' . It should be remembered that by definition, the 
Euler function (p(p') is the number of numbers smaller 
than p' and prime with p' . For example when p' = (p-l)/2 t 

25 is prime, the p 1 -1 numbers of rank p' form a large 
permutation cycle . 

Figures 1A to ID each show a graph fragment for p 
congruent respectively with 3 (mod 4), 5 (mod 8), 9 (mod 
16) and 17 (mod 32) . 

30 - The leaves on the branches are shown by white 

rounds; these are non-quadratic residues. 

The nodes in the branches are shown by grey 
rounds; these are quadratic elements of even rank. 

The nodes in the cycles are shown by black 

35 rounds; these are quadratic elements of uneven rank. 
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Square roots in CG(p)- Knowing that a is a 
quadratic residue of CG (p) , let us see how to compute a 
solution to the equation x = a (mod p) , i.e. "take a 
square root" in CG (p) . There are of course several ways 
5 of obtaining the same result: reference could be made to 
pages 31 to 36 of the book by Henri Cohen, a Course in 
Computational Algebraic Number Theory, published in 1993 
by Springer in Berlin as volume 138 of the series 
Graduate Texts in Mathematics (GTM 138) . 
10 The number s = (p-l+2 fc ) /2 t ~ 1 gives a key <s,p> which 

is worth: 

(p+l)/4,p) when p is congruent with 3 (mod 4), 
(p+3)/8,p) when p is congruent with 5 (mod 8), 
(p+7)/16,p) when p is congruent with 9 (mod 16), 
15 (p+15) /32 ,p) when p is congruent with 17 (mod 32), 

and so on. 

The key (s,p) converts any element in a cycle into 
the previous element in the cycle. When a is of uneven 
rank, it is the solution of uneven rank; we name it w. 

20 Indeed, in CG(p), w 2 / a is worth a raised to the power 
(2X (p-l+2 t /2 t ~ 1 ) -1- (p-1) /2 fc . The other solution is of even 
rank; it is p-w. 

In a general way, the key <s,p> converts any 
quadratic residue a into a first solution approximation 

25 which we name r. Since a is a quadratic residue, the key 
(2 t-1 ,p) certainly converts r 2 /a into 1. To get close to a 

2 t-2 

square root of a, let us raise r /a to the power 2 
(mod p) to obtain +1 or -1. The new approximation 
remains r if the result is +1 or else becomes bxr (mod 

30 p) if the result is -1, knowing that b denotes any 2 c -th 
primitive root of 1 in the field CG (p) . Consequently, 
the key (2 t_2 ,p) converts the new approximation into 1. 
It is also possible to get close by using the key (2 t ~ 3 ,p) 
and by multiplying by b 2 (mod p) if necessary, and so on. 

35 The following algorithm solves the equation. It 

uses the numbers a, b, p, r and t defined above and two 
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variables: c represents successive corrections and w the 
successive approximations. At the beginning of the 
algorithm, c=b and w=r. At the end of the computation, 
the two solutions are w and p-w. 
5 For i going from t-2 to 1, repeat the following 

sequence : 

Apply the key (2 c ,p) to the number w 2 / a (mod p) 
to obtain +1 or -1. 

When -1 is obtained, replace w by wxc (mod p) . 
10 Replace c by c 2 (mod p) . 

Applicability of principles - By definition we say 
that a parameter k, a base number g and a prime factor p 
are compatible when the equation x v = g 2 (mod p) where the 
exponent v is worth 2 k has solutions in x in the field 
15 CG (p) . The numbers k and g are small and larger than 1. 
The number p is a large prime number. 

- When t=l, i.e. p=3(mod4), the equation has two 
solutions . 

When t=2, i.e. p=5(mod8), according to the 
20 Legendre symbol of g relative to p, the equation has 
four solutions if (g|p)=+l; it has no solution if 
(g|p)=-l. 

- When t>2, i.e. p=l(mod8), let u be the number 
such that 2 divides the rank of the public number G = g 

25 relative to p, but that 2 U+1 does not divide it; 
consequently, u is equal to one of the numbers from 0 to 
t-1. The equation has no solution if u>0 and A:+u>t; it 
has 2 k solutions if k+u<t; it has 2 t solutions if u=0 and 
lot. 

30 There are therefore two types of compatibility 

according to whether G is in a cycle or else in an 

appropriate position in a branch. 

When G is in a cycle, i.e. u=0 whatever the 

value of k, there is a solution of uneven rank in the 
35 cycle and solutions of even rank disseminated in a=min 

(k,t) consecutive branches connected to the cycle, i.e. 
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2 solutions in all. Figure 2A shows this case with 
k>t=3, i.e. a prime factor congruent with 9 (mod 16), 
which imposes u=0 . 

When G is in an appropriate position in a 
5 branch, i.e. u>0 and u+k<t, there are 2 k solutions, all 
of even rank and in the branch. Figure 2B shows this 
case . 

Given a parameter k, there are therefore two types 
of prime factors according to whether the value of t is 

10 lower than k or else higher than or equal to k. 

For any prime factor pj such that t<k, each G ± 
must be in a cycle and there is no solution in the 
branch connected to G^. Let us define a number A ij7 < which 
is worth +1 or -1 depending on whether g x or -g± is in 

15 the cycle. There is no choice for any of the m numbers 
A lfJ to A m ,j. Figure 3A shows a case t<k, G ± is in a cycle 
with a prime factor Pj congruent with 9 (mod 16), i.e., 
u=0, t=3 with k>3. 

For any prime factor p D such that t>k, each G 2 

20 must be such that u+k<t, in other words, or else in a 
cycle with u=0 or else in an appropriate position in a 
branch with 1 < u < t-k. Let us define a number A ±j which 
is worth +1 or -1 depending on whether Q ± j is in the part 
of the graph connected to g ± or -g ± . There is the choice 

25 for each of the 77? numbers A lfj to A m/j ; each number A 2j may 
be individually swung from one value to the other. 
Figure 3B shows a case t>k: G± is in a branch with a 
prime factor p, congruent with 17 (mod 32), i.e., u=l, 
t=4 with k=3 . 

30 Each set of / components {A ir i to A±,f} is a square 

root of the unit in CG(pf). This root is trivial or 
nontrivial according to whether the / components are 
equal or not; we then say that the set of / components 
is constant or variable, which expresses the fact that 

35 the number q± is trivial or nontrivial. Consequently, 



„? 1 £ JP J J. 1 1» '.i .„"' Ji .4 „I ' , ..." *">li J-=S, 

ji. « ,js ij.fi —si its "-n-qr- f* ii ?! o-r h s 



24 



when a number g a is nontrivial, the set of / components 
{A irl to &i,f} summarises a decomposition of the module. 

It is then possible to test the principles before 
computing the private components Q±,j. 
5 - When a public number G ± is in a cycle for a 

prime factor p jf the number A irj is worth +1 or -1 
according to whether g ± or -g ± is in the cycle. When 
Pj =3 (mod 4), it is the Legendre symbol: A ±/j - (gjpj) . 

When a public number G± is in an appropriate 

10 position in a branch for a prime factor p jf the value to 
be given to A i/jf - may be determined before computing the 
private component Qi,j. 

Production of sets of keys - Given a parameter k f 
there are two strategies. 

15 - Either the generator requires / prime factors in 

order to determine m base numbers. The first prime 
numbers: 2,3,5,7, etc. are examined to evaluate their 
compatibility with each of the / large prime factors p 1 
to pf. Although g=2 is not compatible with p=5 (mod8) , 2 

20 can come into the composition of a base number. Indeed, 
when two numbers are in a similar position in a branch, 
their product is closer to the cycle, just as a square 
comes closer to the cycle. A base number can be obtained 
in this way by composing numbers which are individually 

25 not appropriate. 

- Or the generator requires m base numbers and 
modulus characteristics such as a bit size (for example, 
512, 768, 1024, 1536, 2048) and a number of high order 
bits following 1 (for example, 1, 8, 1 6, 24, 32) in 

30 order to determine / > 2 prime factors. Denoted by g lf g 2 
... g m , the base numbers generally figure among the first 
prime numbers: 2,3,5,7,11, etc. or else they are 
combinations of the first prime numbers. Unless 
otherwise indicated, these are the m first prime 

35 numbers: g 1 =2, g 2 =3, g3=5, g4=7, etc. It should be noted 
that p^5 (mod 8) is not compatible with g=2 . The modulus 
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n will be the product of / prime factors of neighbouring 
sizes, namely the size allocated to the modulus divided 
by /. 

First principle - The parameter k, each prime 
5 factor p going from p x to pf and each base number g going 

from g 1 to g m must be compatible. Let us define a number 
h such that 2 h divides the rank of g relative to p, 
whereas 2 h+1 does not divide it. To compute the number h, 
the following procedure uses the Legendre symbol (glp) 
10 and a number b, 2 fc -th primitive root of the unit in 
CG(p) . 

- If (g|p)=+l with t=l, return w h=0". 

If (g|p)=+l with t>l, apply the key (p- 
l+2 fc ) /2 t+1 ,p) to G to obtain a result called w. 
15 - If w=+g, return "h=0". 

- If w=p~g, return vx h=l". 

- If not, put c to b and for i going from t-1 to 2, 

- apply the key <2 i / p> to w/g (mod p) to obtain ±1, 

- if -1, put h to i and replace w by wXc (mod p) , 
20 - replace c by c 2 (mod p) . 

Return "value of h from 2 to t-1". 
If (g|p)=-l, return w h=t". 
Let us remember that k, g and p are incompatible 
when u>0 with .?c+u>t; they are compatible when h=0 or 1, 
25 whatever the value of k, and also when h>l with k+h<t+l. 

Second principle - the three following procedures 
correspond to different implementations of the second 
principle. In some implementations, the second principle 
can be reinforced to the extent of demanding that each 
30 number q 1 to g m is nontrivial . The role of the base 
numbers is then balanced; the fact of balancing or not 
balancing the second principle has an effect on some 
aspects of demonstration of the security of the pattern. 
Finally when there are f>2 distinct prime factors, among 
35 the m numbers {q 1 to g m }, it is possible to demand that 
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there is at least one subunit of f-1 independent 
numbers . 

The three procedures use mx/ numbers defined 
as follows . 

When p 3 is such that t<k, for i going from 1 
to m f S±,j= i.e. +1 if h ifj = 0 and -1 if h irj =l. 

When p., is such that t><k, for i going from 1 
to m, 0, which shows that A lf j to can be chosen 

as a function of the second principle. 

A first procedure verifies that at least one set 
to 8 ir j} is variable or nil, in other words that at 

least one number qi to q m is nontrivial or may be chosen 
nontrivial . 

- For i going from 1 to m and j going from 1 to f , 

- If 5 ir j = 0 or ^ 8^1, return "success". 

- Return "failure" 

A second procedure verifies that each set {5 irl to 
&i,f} is variable or nil, in other words that at least 

one number q 1 to q m is nontrivial or may be chosen 
nontrivial . 

For i going from 1 to m 

for j going from 1 to /, 

if 8.^=0 or ^5 irl , go to the next 
value of i . 
Return "failure" 

- Return "success". 

A third procedure verifies that for each pair of 
prime factors Pj X and Pj 2 with l<j 1 <j 2 '^f, there is at 
least one set to 8^} where 8 i/ j 1 is nil or different 

from Sij2 . It fails manifestly when m is smaller than 
f-1. When it succeeds, among the m numbers q x to g m , 
there is at least one set of f-1 independent numbers 
relative to the / prime factors. 

For j 1 going from 1 to f-1 and for j 2 going 
from to /, 

for i going from 1 to m, 
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if 5 i? ji=0 or ^8 i/ j 2f go to the next values 
of ji and j 2 . 
Return "failure" 

- Return "success". 

When a procedure fails, the generator of sets of 
GQ2 keys follows a strategy among the two possible 
strategies : 

change one of the m base numbers while keeping 
the / prime factors, 

change one of the / prime factors while 
keeping the m base numbers. 

Third principle - the following procedure 
determines whether the set of generalized GQ2 keys in 
the course of production or already produced is: 

a set of GQ2 elementary keys, in other words 
that the 2Xm numbers ±gi to ±g m are all non-quadratic 
residues, 

- or else, a set of GQ2 complementary keys, in 
other words that among the 2xm numbers ±g 1 to ±g mr there 
is at least one quadratic residue. 

The procedure uses the two Legendre symbols (gjpj) 
and (~g±\pj) for i going from 1 to m and for j going from 
1 to /. 

For 1 going from 1 to in 

for j going from 1 to /, 

if (gjpj) = -1, go to the next value 
of i . 

Return "set of GQ2 complementary keys", 
for j going from 1 to f, 

if {~g±\pj) = ~1f go to the next 
value of i. 
Return "set of GQ2 complementary keys". 
Return "set of GQ2 elementary keys". 
Private components - for an equation of the direct 
type: x v = g/ (mod Pj) , the following computations 
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establish all the possible values of the private 
component Q±,j* The two simplest and most common cases, 
i.e. t=l and t=2, are followed by the most complex case, 
i.e. t>2 . 

5 For t=l, i.e. Pj s 3 (mod4) , the key <Pj+l)/4,p) 

gives the square quadratic root of any quadratic residue 
in CG(pj). A number Sj = ((pj + l)/4) k (mod (pj-l ) /2 ) is 
deduced, which gives a key (s jr pj) converting G 2 into 
vi~G 1 sj (modpj) . Q ifj is equal to w or else to p-,— w. 

10 For t=2, i.e. = 5 (mod8) , the key (p j +3)/8,p j ) 

gives the square root of uneven rank of any element of 
uneven rank in CG(p J ). A number Sj = ( (Pj+3 ) /8 ) k (mod (p-,— 
l)/4) is deduced, which gives a key (s jf pj) converting Gi 
into w=G ± sj (mod (pj) . It should be observed that z=2 rpj ~ 

15 1>/M (modpj) is a square root of -1 because 2 is a non- 
quadratic residue in CG(pj). Q± f j is equal to w or else 
to Pj-w or else to w f = wxz(modp J ) or else to Pj-w' . 

For b 2 fc +l (mod t+1 ) with t>2, the key <p J -l+2 t ) / 
2 t+1 ,pj> gives the square root of uneven rank of any 

20 element of uneven rank. The compatibility test between 
k, g and p has given the value of h, then that of u. 

When Gi is in a cycle (u=0, whatever the value 
of Jt), a number Sj = ( (p r l+2 fc ) /2 t+1 ) k (mod (pj-1 ) /2 fc ) is 
established. The key <s^,pj) converts Gi into the solution 

25 of uneven rank G ± sj (modpj) . There are solutions of even 
rank distributed in min (k,t) consecutive branches tied 
to the cycle, let us say in a branches. Q ifj is equal to 
the product of w by any of the 2 -th roots of the unit 
in CG (pj) . 

30 - When Gi is in an appropriate position in a 

branch (u>0, u+k<t) , all the solutions are in the same 
branch as Gi, a branch tied to a cycle by the 2 u -th power 
of the number G ± . A number Sj = ( (pj-l + 2 t ) /2 t+1 ) k+u (mod (Pj- 
l)/2 t ) is established. The key (s jf pj) converts the 2 u -th 

35 power of Gi into a number of uneven rank w. All the 



.13 a. £ s„ ]? «TT« -Jr* S » UTS Jr. »^ 3 ,S IT— 

29 



products of w by the 2* +u -th primitive roots of the unit 
in CG (pj) include the 2 k values of Q± fJ . 

When Pj is such that t>k, the number bj being a 2 t ~~ 
th primitive root of the unit in CG (pj) , the 2 t-u -th 
5 power of bj in CG(pj) exists; it is a 2 -th primitive 
root of the unit. Multiplying Qi,j by a 2*-th primitive 
root of the unit allows the value of the number A ir j to 
be swung. 

For an equation of the inverse type: l^x^xgj 2 
10 (modpj) , it is sufficient to replace the number Sj by 
((pj-l)/2 t )- Sj in the key (sj,Pj), which amounts to 
inverting the value of Q if j in CG(pj). 

Example of a set of keys with two prime factors 
congruent with 5 (mod8) 

15 

p 1 =E6C83BF428 68 9AF8C35E07EDD0 6F9B39A65982 9A58B7 9CD8 94C4 35 
C95F32BF25 

p 2 =HBF8A68A0817BFCC00F157 31C8B7 0CEF92 04A34133A0DEF8 6282 9 
B2EEA74873D 

20 n=p 1 Xp 2 =FFFF82 634 34Fl7 3DOF2E7 6B32D904F5 6F4A5A6A50008C4 3D3 
2B650E9AB9AAD2EB713CD4F9A97C4DBDA3828A3 954F2 964 58D5F42C0 
12 6F5BD6B054 7 8BE0A80ED1 

Here are the Legend symbols of the very first prime 
numbers . 

25 (2| Pl )= -1; (3| Pl )= -1; (s| Pl )- -1; (7| Pl )= -1; 
(ll|pi)= +1; (13|pi)= -1; (17| Pl )= +1; 
In CG(pi) the rank is uneven for -5, -11 and 17. 
(2|p 2 )= -1; (3|p 2 )= +1; (5|p 2 )= +1; (1 \ p 2 ) = +1; 
(ll|p 2 )= +1; (13|p 2 )= -1; (17|p 2 )= -1; 

30 

In CG(p 2 ) the rank is uneven for 3, -5, 7 and 11. 
The Carmichael function is X (n) =ppcm ( (px-1) / 
4, (p 2 -l)/4) . 
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A (xa) -33331A13DA4 304A5CFD617BD6F834 31164212154 3334F4 0C3D5 
7A9C8558555D5BDAA2EF6AED17B9E37 94F51A65A1B37 23 9B18FA9B0F 
618 62 7D8C7E1D84 99C1B 

5 With k=9, the number o^X ( n) - ( ( 1+X (n) ) /2 ) 9 (modX(n)) 

as private exponent, so as to use generic equations of 
the inverse type . 

a=0lE6657 7BC997CAC273 671E187A35EFD2 537 3ABC9FE677 0E74 4 6C0 
10 CCEF2C72AF6E8 9D0BE2 77CC6165F1007187AC58028BD2 416D4CC1121 
E7A7A8B6AE18 6BB4B0 

The numbers 2,3,7,13 and 17 are not suitable as a 
base number. 

15 The key (a, n) converts g x =5 into a private number Q x 

which shows no decomposition. Indeed, in both fields, -5 
is on a cycle. 

O 1 =818C2 3AF3DE333FAECE88A71C4 5 91A7 0553F91D6C0DD5538EC0F2A 
20 AF90 9B5BDAO4 91FD8BF13F18E3DA37 7 4CCE19D0 0 97BC4BD4 7C5D6E0E 
7EBF6D8 9FE3DC517 6C 

The key (o,ri) converts g2=ll into a private number Q 2 
which shows decomposition. Indeed, 11 is not in the same 
25 position in the two fields. 

Q 2 =2 5F9AFDF17 7 993BE8652CE6E2C728AF31B6D66154D3935AC535196 
B0 7C19080DC962E4E8 6ACF4 0D01FDC4 54F2 5654 54F2 90050DA052 08 9 
EEC96A1B7DEB92CCA7 

30 

The key (a, n) converts g 3 =21=3x7 into a private 
number Q 3 which shows decomposition. 

O 3 =7 8A8A2F30FEB4A52 33BC05541AF7B684C2 4 0 6415EAlDD67D18A04 5 
35 9A1254121E95D5CAD8A1FE3ECFE0685C96CC7EE86167D99532B3A96B 
6BF9D93CAF8D4F6AF0 
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The key (o, n) converts g 4 =26=2xl3 into a private 
number Q 4 which shows decomposition. 

5 Q 4 =6F17 4 8A6280A200C38824CA34C939F97DD2 941DAD300030E4 81B73 
8C62BF8C6737 31514D197 8AF5 655FE4 93D65 9514A6CE8 97AB7 6C01E5 
0B54 88C5DAD12332E5 

The private key may still be represented by the two 
10 prime factors, the parameter of the Chinese remainders 
and eight private components. 

a= (p 2 (modp! ) ) ~ 1 (modp x ) = 

ADE4E7 7B7 03F5FDEAC5B9AAE825D64 9E06692D15FBF0DF7 37B115DC4 
15 D012FD1D 

£?i,i=Qi (modpi) = 

7 7 51A9EE18A8F5CE4 4AD7 3D613A4F4 65E0 6C6F9AF4D22 994 9C7 4DD6C 
18D7 6FAF 

0i,2=0i (modp 2 ) -A9EB5FA1B2A981AA64CF88C382923DB64376F5FD481 
20 52C08EEB6114F31B7 665F 

Qz, i=<?2 (modpi) =D5A7D33C5FB75A033F2FOE8B20274B957FA34004ABB 
2C2AC1A3F532 0C5A904 9 

0 2 , 2 =0 2 (modp 2 ) -76C9F5EFD066C73A2B5CE9758DB512DFC011F5B5AF7 
DA8D3.9A961CC87 6F2DD8F 
25 Q 3 ,i=Q3 (modpi) =2FEC0DC2DCA5BA72 90B27BC8CC85C938A514B8F5CFD 
55820A17 4FB5E6DF7B883 

03,2=03 (modp 2 ) =010D488E6BOA38A1CC406CEEOD55DE59013389D8549 
DE4 93413F34 604A160C1369 

Q Atl =Q A (modpi) -A2B32026B6F82B6959566FADD9517DB8ED852465214 
30 5EE15 9DF3DC0C61FE3617 

Qa,2=Qa (modp 2 ) =011A3BB9B607F0BD71BBE25F52B305C224899E5F1F8 
CDC2FE0D8F9FF62B3C98 60F 

Polymorphism of the GQ2 private key - The different 
35 possible representations of the GQ2 private key prove to 
be equivalent: they all come back to the knowledge of 
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the factorization of the modulus n which is the true GQ2 
private key. The representation of the G02 private key 
has an effect on the operation of the computations 
within the proving entity, not within the controlling 
5 entity . Here are the three main possible representations 
of the GQ2 private key. 1) The conventional 
representation of GQ private keys consists in storing m 
private numbers Q 1 and the public verification key (v,ri); 
for GQ2 patterns, this representation is in competition 

10 with the two which follow. 2) the optimum representation 
in terms of work loads consists in storing the parameter 
k, the / prime factors p jr mx/ private components Q if3 and 
f-1 parameters of the Chinese remainders. 3) the optimum 
representation in terms of private key size consists in 

)5 storing the parameter k, the m base numbers g if the / 
prime factors Pj, then, in starting each usage by 
establishing either m private numbers Q ± and the modulus 
n to come back to the first representation, or else mx/ 
private components Q±,j and f-1 parameters of the Chinese 

20 remainders to come back to the second. 

Because the security of the dynamic authentication 
or digital signature mechanism is eguivalent to 
knowledge of a decomposition of the modulus, GQ2 
patterns do not allow a simple distinction to be made 

25 between two entities using the same modulus. Generally, 
each proving entity has its own GQ2 modulus. However, it 
is possible to specify GQ2 moduli with four prime 
factors two of which are known by one entity and the two 
others by another. 

30 Dynamic authentication - The dynamic authentication 

mechanism, which is intended to prove to an entity 
called a controller, the authenticity of another entity 
called a demonstrator and the authenticity of any 
associated message M, so that the controller can be sure 

35 that it is the actual demonstrator and possibly that he 
and the demonstrator are in fact speaking about the same 
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message M. The associated message M is optional, which 
means that it may be empty. 

The dynamic authentication mechanism is a sequence 
of four acts: an act of commitment, an act of challenge, 
5 an act of response and an act of checking. The 
demonstrator performs the acts of commitment and 
response. The controller performs the acts of challenge 
and control . 

Within the demonstrator, a witness may be isolated, 

10 in such a way as to isolate the most sensitive 
parameters and functions of the demonstrator, in other 
words, the production of commitments and responses. The 
witness has at its disposal the parameter k and the GQ2 
private key, in other words, the factorization of the 

15 modulus n according to one of the three representations 
mentioned above: • the / prime factors and the m base 
numbers, • the mx/ private components, the / prime 
factors and f-1 parameters of the Chinese remainders, • 
the m private numbers and the modulus n. 

20 The witness may correspond to a particular 

embodiment, for example, • a chip card linked to a PC 
together forming the demonstrator, or again, • specially 
protected programs within a PC, or again, • specially 
protected programs within a chip card. The witness so 

25 isolated is similar to the witness defined hereinafter 
within the signatory. With each operation of the 
mechanism, the witness produces one or more commitments 
R, then, as many responses D to as many challenges d. 
Each set {R,d,D} constitutes a GQ2 triplet. 

30 The demonstrator not only includes the witness, but 

also has at its disposal, where necessary, a hashing 
function and a message M. 

The controller has at its disposal the modulus n, 
for example, from a directory of public keys or again 

35 from a register of public keys; where necessary, it also 
has at its disposal the same hashing function and a 
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message M' . The GQ2 public parameters, namely the 

numbers k, m and g 1 to may be given to the controller 

by the demonstrator. The controller is able to restore a 

commitment R' from any challenge d and from any response 

5 D. The parameters k and m inform the controller. Unless 

otherwise indicated, the m base numbers from g x to g m are 

the m first prime numbers. Each challenge d must 

comprise m elementary challenges denoted from d 1 to d m : 

one per base number. Each elementary challenge from d 1 to 

A, i 

10 d m is a number from 0 to 2 " 1 -1 (the numbers from v/2 to 
v-1 are not used) . Typically, each challenge is encoded 
by m times k-1 bits (and not by m times k bits) . The 
example, with k=5 and m=4 base numbers 5, 11, 21, and 
26, each challenge comprises 16 bits transmitted on four 

15 quartets. When the (k-1) Km possible challenges are also 
probable, the number (k-l)xm determines the security 
brought by each GQ2 triplet: an impostor who, by 
definition, does not know the factorization of the 
modulus n has exactly 1 chance of success in 2 (k ~ 1)xm . 

20 When (k-1) Km is worth from 15 to 20, one triplet is 
enough to reasonably ensure dynamic authentication. To 
reach any level of security, triplets may be produced in 
parallel: they may also be produced in sequence, in 
other words, repeat the operation of the mechanism. 

25 1) The act of commitment includes the following 

operations . 

When the witness does not use Chinese remainders, 
it has at its disposal the parameter k, the 777 private 
numbers from Q 1 to Q m and the modulus n; it draws at 
30 random and in private one or more random numbers r 
(0<r<n) ; then, by k successive raisings to the square 
(mod n) , it converts each random number r into a 
commitment R. 
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R = r v (mod n) 
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Here is an example with the previous set of keys 
without the Chinese remainders. 

r=5E94B8 94AC2 4AF843131F437ClB17 97EF5 62CFA53AB8AD42 6ClAC0 
16F1C8 9CFDA1312 07194 7 7C3E2FB4B4 5 660 8 8E10EF9C010E8F0 9C60D 
5 981512198126091996 

R=6BBF9FFA5D5097 7 8D0F93AE07 4D3 6A07D95FFC3 8F7 0C8D7E3300EB 
F2 34FA0BC20A95152A8FB7 3DE81FAEE5BF4FD3EB7F5EE3E3 6D7 068D0 
83EF7C93F6FDDF67 3A 

10 When the witness uses Chinese remainders, it has at 

its disposal the parameter k, the / prime factors from p 1 
to pf, f-1 parameters of the Chinese remainders and the 

mx/ private components Qi fJ } it draws at random and in 
private one or more collections of / random numbers: 
15 each collection comprises one random number r ± per prime 
factor p ± (0<r i <p i ) ; then, by k successive raisings to 
the square (mod p±) , it converts each random number r ± 
into a commitment component R±. 

20 R ± = r± v (mod p±) 

For each collection of / commitment components, the 
witness establishes a commitment according to the 
technique of Chinese remainders. There are as many 
25 commitments as collections of random numbers. 

R = Chinese Remainders (Ri, R2r to Rf) 

Here is an example with the previous set of keys 
30 and with Chinese remainders. 

r 1 -5C6D37F0E97 083C8D12 07194 7 5E0 80BBBF9F7 3 92FHF3E24 4FDF02 
04E84D8CAE 

K 1 =3DDF516EE3 94 5CB8 6D2 0D9C4 9E0DA4D4 22 81DO7A7 607 4DD4FEC5C7 
35 C5E205DF66 



r 2 =AC8F85034AC7 8112 07194 7C4 5722 5E908E83A2 621B0154EDl5DBFC 
B9A4915AC3 

K 2 =01168CEC0F661EAA15157C2C287C6A5B34EE2 8F8EB4D8D34 0858 07 
9BCAE4ECB016 

R = Chinese Remainders (R lr R 2 ) = 

0AE51D90CB4FDC3DC7 57C5 6E063C9ED8 6BE153B71FC65F4 7C12 3C27F 
082BC3DD152 7 3D4A92 3804 718573F2F05E991487D17DAE0AAB7DF0D0 
FFA23E0FE59F95F0 

In both cases, the demonstrator transmits to the 
controller all or part of each commitment R, or else, a 
hashing code H obtained by hashing each commitment R and 
a message M. 

2) The act of challenge consists in drawing at 
random one or more challenges d each composed of m 
elementary challenges d lr d 2 to d m ; each elementary 
challenge d 1 is one of the numbers from 0 to vV2-l. 

d = d lr d 2 ... d m 

Here is a challenge for the two examples, in other 
words with k=5 and m=4 . 

d 1 =1011=ll='B' ; d 2 = 0011=3; d 3 =0110=6; d 4 =1001=9, 
d = d 1 | \ d 2 \ |d 3 | I d 4 = 10110011 01101001=B3 69 

The controller transmits each challenge d to the 
demonstrator . 

3) The act of response comprises the following 
operations . 

When the witness does not use Chinese remainders, 
it has at its disposal the parameter k, the m private 
numbers from Q x to Q m and the modulus n; it computes one 
or more responses D by using each random number r of the 
act of commitment and the private numbers in accordance 
with the elementary challenges. 
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D = r X Qi J X Q 2 X ... GT" (mod n) 

Here is the sequence of the example without the 
5 Chinese remainders. 

D=02 7E6E808 4 25BF2B4 01FD00B15B64 2B1A84 53BE807 0D8 6C0A7 87 0E 
6C194 0F7A69 96C2D871EBE611812532AC587 5E0E116CC8BA648FD8E8 
6BE0B2ABCC3CCBBBE4 

10 

When the witness uses Chinese remainders, it has at 
its disposal the parameter k, the / prime factors from p 1 
to pf, f-1 parameters of the Chinese remainders and the 

mx/ private components Qi,ji it computes one or more 
15 collections of / response components by using each 
collection of random numbers of the act of commitment: 
each collection of response components comprises one 
component per prime factor. 

20 D ± = r± X Q lti dl X Q 2fi d2 X ... Q,,/*" (mod Pi ) 

For each collection of response components, the 
witness establishes a response in accordance with the 
technique of Chinese remainders. There are as many 
25 responses as challenges. 

D = Chinese Remainders (D Xr D 2t - Df) 

Here is the sequence of the example with Chinese 
30 remainders . 

D x = n x Qi,i dl x Q 2fl d2 x Q 3 ,i d3 x Q Ail m (mod Pi ) = 

C71F8 6F6FD8F955E2EE4 34BFA7 7 0 6E38E5E71537 5BC2CD2 02 9A4BD57 

2A9EDEE6 

35 D 2 = r 2 x Q lr2 dl x Q 2f2 d2 x Q 3t2 d3 x Q Af2 dA (mod p 2 ) = 
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0BE02 2F4A2 0523F98E9F5DBEC0E108 87 902F3AA4 8C8 64A6C35 4 693AD 
0B59D85E 

£)=90CE7EA4 3CB8EA8 9ABDD0C814FB7 2ADE7 4F02FE6F0 98ABB98C857 7 
A660B9CFCEAECB93BE1BCC35 6811BF12DD667E22 7 0134C907 3B9418C 
5 A5EBF5191218D3FDB3 

In both cases, the demonstrator transmits each 
response D to the controller. 

4) The act of checking consists in checking that 
10 each triplet {R, d, D} verifies an equation of the 
following type for a non nil value , 

w k k m 

r*Y\ g ? 1 = d2 (mod n) ° r eise r = d2 x Y\ G f i ( mod n ^ 

2=1 2 = 1 

15 or else, in re-establishing each commitment: none must 
be nil. 

R'=D 2 /Y\ G ?' (mod r]) or else R ^° 2 x ll G <' ( mod n ^ 

Possibly, the controller next computes a hashing 
code H* by hashing each re-established commitment R' and 
a message M' . The dynamic authentication is successful 
when the controller thus regains what it received at the 
end of the act of commitment, in other words, all or 
part of each commitment R, or else, the hashing code H. 

For example, a sequence of elementary operations 
converts the response D into a commitment R r . The 
sequence includes k squares (mod n) separated by k-1 
divisions or multiplications (mod n) by base numbers. 
For the i-th division or multiplication, which is 
carried out between the i-th square and the i+l-th 
square, the i-th bit of the elementary challenge d x 
indicates whether it is necessary to use g lf the i-th bit 
of the elementary challenge d 2 indicates whether it is 
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necessary to use g 2 , up to the i-th bit of the elementary 
challenge d m which indicates whether it is necessary to 
use g m . 

Here is the end of the example without the Chinese 
5 remainders. 

Z>02 7E6E8 08425BF2B4 01FDOOB15B64 2B1A8453BE8070D8 6COA7 870E 
6C194 0F7A6996C2D871EBE611812532AC587 5E0E116CC8BA64 8FD8E8 
6BE0B2ABCC3CCBBBE4 

10 

Raise to the square modulo n: 

88BA681DD641D37D7A7D9818D0DBEA82174 073 997C6C32F7FCAB3038 
OC4C622 9B070 6D1AF6EBD84 617 771C31B424 3C2F037 6CAF5DCEB64 4F 
15 098FAF3B1EB49B39 

Multiply by 5 times 26 = 130, i.e. '82' modulo n: 

6ECABA65A91C22 431C413E4EC7C7B3 9FDE14C97 82C94FD6FA3CAAD7A 
20 FE192B94 4 0C1113CB8DBC4 5619595D2 63C10 67D3D0A84 0FDE008B415 
028AB3520A6AD49D 

Raise to the square modulo n: 

0236D2504 9A5217B13818B3 9AFB00 9E4D7D52B174 8 6EBF844D64CF75 
25 C4F65203104132 8B2 9EBF082 9D54E3BD17DAD21817 4A01E6E3AA650C 
6FD62CC274426607 

Multiply by 21, i.e. '15' modulo n: 

30 2E7F4 0 960A8BBF18 99A0 6BBB697 0CFC5B4 7C88E8F115B5DA594 504A9 
2 834BA4 0555 925 6A705ABAB6E7F6AE82F4F33BF9E91227F0ACFA4A05 
2C91ABF389725E93 

Raise to the square modulo n: 
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B80217117 964 8AD687E672D3A32 64 0E2 4 93BA2E82D5DC87DBA2B2CC0 
32 5E7A71C50E8AE02E2 99EF8 68DD3FB916EBCBC0C5569B53D4 2DAD4 9 
C956D8572E1285B0 

5 Multiply by 5 times 11 times 21 = 1155, i.e. ' 483' 

modulo n: 

33055 6027 631 0DEFEC1337EB5BB581033 6FDB28E91B350D4 8 5B0 9188 
E0C4F1D67E68E9590DB7F9F3 9C22BDB4 53301362501124 8A8DC417C6 
10 67B419D27CB11F72 

Raise to the square modulo n: 

8 871C4 94 081ABD1AEB8 656C38B9BAAB57DBA72A4BD4EF902 9ECBFFF5 
15 4 0E55138C9F22 923 963151FD07 5314 5DF70CE22E9D019990E41DB610 
4005EEB7B1170559 

Multiply by 5 times 11 times 26 = 1430, i.e. '596' 
modulo n: 

20 2CF5F7 6EEBF12 8A07 01B56F837FF68F81A6A5D17 5D0AD67A14DAEC6F 
B68C3 62B1DC0ADD6CFC004FF5EEACDF7 94 563BB09A17 04 5ECFFF88F5 
136C7FBC825BC50C 

Raise to the square modulo n: 

25 

6BBF9FFA5D5097 7 8D0F93AE074D36A07D95FFC38F7 0C8D7E3300EBF2 
3 4FA0BC2 0A95152A8FB7 3DE81FAEE5BF4FD3EB7F5EE3E3 6D7 0 68D083 
EF7C93F6FDDF673A 

30 The commitment R is found. The authentication is 

successful . 

Here is the end of the example with Chinese 
remainders . 
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£>=90CE7EA4 3CB8EA8 9ABDD0C814FB72ADE7 4F02FE6F0 98ABB98C857 7 
A660B9CFCEAECB93BE1BCC35 6811BF12DD667E227 0134C907 3B9418C 
A5EBF5191218D3FDB3 

5 Raise to the square modulo n: 

7 7 0192 532E9CED554A8 690B8 8F16D013010C903172B2 6 6C1133B136E 
BE3EB5F13B17 0DD41F4ABE14 7 3 6ADD3A7 0DFA4 3121B6FC5560CDD4B4 
845395763C792A68 

10 

Multiply by 5 times 26 = 130, i.e. '82' modulo n: 

6EE9BEF9E52 713004 971ABB9FBC3114 5318E2A7 03C8A2FB3E14 4E7 7 8 
63 97CD8D1910E70FA862 62DB771AD1565303AD6E4CC6E90AE3 64 6B4 6 
15 1D3521420E240FD4 

Raise to the square modulo n: 
D984 0D9A8E80002C4D032 9FF97D7AD163D8FA98F6AF8FE2B2160B212 
6CBBDFC7 34E3 9F2C9A3 998 3A42 64 8 6BC4 7 7F2 0ED2CA5 9E664C23CA0E 
20 04E84F2F0AD6534 0 

Multiply by 21, i.e. '15' modulo n: 

D7DD7 516383F7 8 94 4F2C90116E1BEE0CCDC8D7CEC5D7D17 95ED33BFE 
25 8 62 3DB3D2E5B6C5F62A5 6A2DF4 84 5A94F32BF3CAC3 60C7 7 82B5 94192 
4BB4BE91F86BD85F 

Raise to the square modulo n: 

30 DD34 020DD0804C07 57F2 9A0CBBD7B4 6A1BAF94 9214F7 4FDFE021B62 6 
ADAFBAB5C3F1602 095DA3 9D7 02 7 0938AE3 62F2DAE0B914 855310C7BC 
A328A4B2643DCCDF 

Multiply by 5 times 11 times 21 - 1155, i.e. ' 483' 
35 modulo n: 
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038EF55B4C82 6D18 9C6A4 4 8EFDD9DADBD2B63A7D67 5A058 7C8559618 
EA2D8 3DF552D24EAF6BE983FB4AFB3DE7D4D2 54 5190F1B1F94 6D327A 
4E9CA2 58C7 3A98F57 

5 Raise to the square modulo n: 

D12 32F50E30BC6B7 365CC2712E5CAE07 9E4 7B971DA03185B33E918EE 
6E992 52DB357 3CC87C60 4B32 7E5B20C7AB920FDF142A8 90 9DBBA1C04 
A6227FF18241C9FE 

10 

Multiply by 5 times 11 times 26 = 1430, i.e. '596' 
modulo n : 

3CC7 68F12AEDFCD4 662 8 92B917 4A21D1F0DD912 7A54AB63C984 019BE 
D9BF882 4 7EF4CCB5 6D71E0FA30CFB0FF28B7CE4 555 6F7 4 4C1FD7 51BF 
15 BCA04 0DC9CBAB7 4 4 

Raise to the square modulo n; 

0AE51D90CB4FDC3DC757C5 6E063C9ED8 6BE153B71FC65F4 7C123C27F 
20 082BC3DD152 7 3D4A9238 04 71857 3F2F05E9914 87D17DAE0AAB7DF0D0 
FFA23E0FE59F95F0 

The commitment R is found. The authentication is 
successful . 

25 

Digital signature 

The digital signature mechanism allows an entity 
called a signatory to produce signed messages and an 
entity called a controller to verify signed messages. 

30 The message M is any binary sequence: it may be empty. 
The message M is signed with an adjoining signature 
appendix, which includes one or more commitments and/or 
challenges, as well as the corresponding responses. 

The controller has at its disposal the modulus n, 

35 for example, from a directory of public keys or else 
from a register of public keys; it also has the same 
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hashing function. The GQ2 public parameters, namely the 
numbers k, m and g x to may be given to the controller 
by the demonstrator, for example, by putting them in the 
signature appendix . 
5 The numbers k, and m inform the controller. On the 

one hand, each elementary challenge, from d 1 to d m , is a 
number from 0 to 2 k ~ l -l (the numbers v/2 to v-1 are not 
used) . On the other hand, each challenge d must comprise 
m elementary challenges denoted from d 1 to d m , as many as 

10 base numbers. Additionally, unless otherwise indicated, 
the m base numbers, from g l to g mf are the m first prime 
numbers. With (k-l)xm being worth from 15 to 20, it is 
possible to sign with four GQ2 triplets produced in 
parallel; with (k-l)xm being worth 60 or more, it is 

15 possible to sign with a single GQ2 triplet. For example 
with k=9 and jn=8, a single GQ2 triplet is sufficient; 
each challenge comprises eight bytes and the base 
numbers are 2, 3, 5, 7, 11, 13, 17, and 19. 

The signature operation is a sequence of three 

20 acts: an act of commitment, an act of challenge, and an 
act of response. Each act produces one or more GQ2 
triplets each including: a commitment R (*=0) , a 
challenge d composed of m elementary challenges denoted 
by d lr d 2 , ... d m and a response D (^0). 

25 The signatory has at its disposal a hashing 

function, the parameter k and the GQ2 private key, in 
other words, the factorization of the modulus n 
according to one of the three representations mentioned 
above. Within the signatory, it is possible to isolate a 

30 witness who performs the acts of commitment and 
response, in such a way as to isolate the most sensitive 
functions and parameters of the demonstrator. In order 
to compute commitments and responses, the witness has at 
its disposal the parameter k and the GQ2 private key, in 

35 other words, the factorization of the modulus n 
according to one of the three representations mentioned 



k 3 h,}*^ "rS&TTO: "-JI'ffTU ,j« 3} 3 HTlJ S"7 ..^ iJ_J3 ™" 



44 



above. The witness so isolated is similar to the witness 
defined within a demonstrator. It may correspond to one 
particular embodiment, for example, • a chip card linked 
to a PC together forming the signatory, or again, • 
5 specially protected programs within a PC, or again, • 
specially protected programs within a chip card. 

1) The act of commitment includes the following 
operations . 

When the witness has at its disposal m private 
10 numbers Qi to Q m and the modulus n f it draws at random 
and in private one or more random numbers r (0<r<n) ; 
then, by k successive raisings to the square (mod n) , it 
converts each random number r into a commitment R. 

15 R = r v (mod n) 

When the witness has at its disposal the / prime 
factors from p 1 to pf , and the mxf private components Q ljf 

it draws at random and in private one or more 
20 collections of / random numbers: each collection 
comprises one random number r ± per prime factor p ± 
(0<ir i <p i ); then, by k successive raisings to the square 
(mod Pi) , it converts each random number r ± into a 
commitment component R ± . 

25 

Hi = r/ (mod p ± ) 

For each collection of / commitment components, the 
witness establishes a commitment according to the 
30 technique of Chinese remainders. There are as many 
commitments as collections of random numbers. 

R = Chinese Remainders (R lr R 2r to Rf) 



35 2) The act of challenge consists in hashing all the 

commitments R and the message to sign M in order to 
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obtain a hashing code from which the signatory forms one 
or more challenges each including m elementary 
challenges; each elementary challenge is a number from 0 
to v/2-1; for example, with k=9 and /n=8, each challenge 
5 comprises eight bytes. There are as many challenges as 
commitments . 

d = di d 2 ... d m , extracted from the Hash result (M, 

R) 

3) The act of response comprises the following 
10 operations . 

When the witness has at its disposal the m private 
numbers from Q x to Q m and the modulus n, it computes one 
or more responses D by using each random number r of the 
act of commitment and the private numbers in accordance 
15 with the elementary challenges. 

X = d dl x Q 2 d2 x to Qf" (mod n) 
D = r x X (mod n) 

20 When the witness has at its disposal the / prime 

factors from p 1 to pf , and the mx/ private components Q ljr 

it computes one or more collections of / response 
components by using each collection of random numbers of 
the act of commitment: each collection of response 
25 components comprises one component per prime factor. 

X ± = Q lti dl x Q 2ii d2 x to Qn,^ (modpi) 
Di == r± x X ± (mod p±) 

30 For each collection of response components, the 

witness establishes a response in accordance with the 
technique of Chinese remainders. There are as many 
responses as challenges. 

35 D — Chinese Remainders (D lf D 2r to Df) 
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The signatory signs the message M joining to it a 
signatory appendix including: 

either, each GQ2 triplet, i.e., each 
commitment R, each challenge d and each response D, 
5 - or, each commitment R and each corresponding 

response D, 

or, each challenge d and each corresponding 
response D. 

The performance of the verification operation 

10 depends on the content of the signature appendix. A 
distinction can be made between the three cases. 

Where the appendix includes one or more triplets, 

the control operation comprises two independent 
processes the chronology of which is immaterial. The 

15 controller accepts the signed message if and only if the 
two following conditions are met. 

On the one hand, each triplet must be coherent (an 
appropriate relation of the following type must be 
verified) and receivable (the comparison must be made on 

20 a non nil value) . 

™ k k m 

tfxjQG, ' (mod n) or else R = D 2 xJQg/*' (mod n) 

'=1 /=l 

For example, the response D is converted by a 
25 sequence of elementary operations: k squares (mod n) 
separated by k-1 multiplications or divisions (mod n) by 
base numbers. For the i-th multiplication or division, 
which is carried out between the i-th square and the 
i+l-th square, the i-th bit of the elementary challenge 
30 di indicates whether it is necessary to use g l9 the i-th 
bit of the elementary challenge d 2 indicates whether it 
is necessary to use g 2 , up to the i-th bit of the 
elementary challenge d m which indicates whether it is 
necessary to use g m . In this way each commitment R is to 
35 be found present in the signature appendix. 
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On the other hand, the triplet or triplets must be 
tied to the message M. By hashing all the commitments R 
and the message M, a hashing code is obtained from which 
each challenge d is to be found. 
5 d = di d 2 ... d m , identical to those extracted from 

the Hash result (M, R) 

Where the appendix does not include a challenge, 
the control operation starts with the reconstitution of 
one or more challenges d r by hashing all the commitments 
10 R and the message M, 

d f = d'i d / 2 d'mr extracted from the Hash 

result (M f R) 

Next, the controller accepts the signed message if 
and only if each triplet is coherent (an appropriate 
15 relation of the following type is verified) and 
receivable (the comparison is made on a non nil value) . 

Ry \\pf l = D 1 (mod n) or else R = D 2 xJ^Jg^' (mod n) 

20 Where the appendix does not include a commitment, 

the control operation starts with the reconstitution of 
one or more commitments R' according to one of the two 
following formulas, the one which is appropriate. No re- 
established commitment must be nil. 

25 

k m k m 

R*=D 2 /Yi G f' < m ° d ° r eise ^=^ 2 x n G ^ ( m ° d n ) 

l=\ 1=1 

Next, the controller must hash all the commitments 
R' and the message M so as to reconstitute each 
30 challenge d. 

d = d 1 d 2 d m , identical to those extracted from the 
Hash result (M, R' ) 
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The controller accepts the signed message if and 

only if each reconstituted challenge is identical to the 
corresponding challenge featuring in the appendix 
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CLAIMS 

1. A process intended to prove to a controller 
entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this 
entity; 

said process implementing: 

- a public modulus n constituted by the product of 
f prime factors p lr p 2 ... Pf (f being greater than or 
equal to 2) or implementing the f prime factors; 

- m different whole base numbers g lf g 2 ... g m (m 
being greater than or equal to 1), g ± being less than the 
f prime factors p lf p 2 ... Pf ; 

m pairs of private Q lr Q 2 , ... Q m and public Gi, 
G 2 , ... G m values (m being greater than or equal to 1) or 
parameters derived from them; 

said modulus and said private and public values 
being connected by relations of the type: 

G i-Qi V == l.mod n or Gi = Qi V mod n 

said public value Gi being the square g^ 2 of the 
base number, v denoting a public exponent of the form: 
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where k is a security parameter greater than 1; 

the process according to the invention including 
the step of producing the f prime factors p lf p 2 ... p f 
and/or the m base numbers g 1# , g 2 ... g m in such a way that 
5 the following conditions are met. 

First condition : 

According to the first condition, each of the 
equations : 

10 X v s gi 2 mod n (1) 



has solutions in x in the ring of the integers 
modulo n. 

Second condition : 

15 where G L ss Q ± v mod n, among the m numbers q ± obtained 

by raising Q 1 to the square modulo n, k-1 times of rank, 
one of them is different from ± g ± (in other words is 
nontrivial) . 

where G 1 .Q i v = 1 mod n, among the m numbers qi 
20 obtained by raising the inverse of Q x to the square 
modulo n, k-1 times of rank, one of them is different 
from ± g L (in other words is nontrivial) . 
Third condition : 

among the 2m equations: 
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X 2 = g ± mod n (2) 
X 2 = - g x mod n (3) 



at least one of them has solutions in x in the ring 
30 of the integers modulo n; 

the process according to the invention for 
producing the f prime factors pi, p 2 to p f and/or the m 
base numbers g 1; g 2 to g m includes the step of choosing 
firstly : 

35 • the security parameter k 
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• the m base numbers g lf g 2 to g m and/or the f 
prime factors p lf p 2 to p f . 

2. A process according to claim 1 such that the m 
base numbers g lf g 2 ... g m are chosen at least partly among 
the first whole numbers. 

3. A process according to one of the claims 1 or 2 
such that the security parameter k is a small whole 
number, particularly less than 100. 

4. A process according to any one of claims 1 to 3 
such that the size of the modulus n is more than several 
hundred bits. 

5. A process according to any one of claims 1 to 4 
such that the f prime factors p x , p 2 to p f , have a size 
close to the size of the modulus n divided by the number 
f of factors . 

6. A process according to any one of claims 1 to 5 
such that to test the first condition, the compatibility 
of the numbers k, p, g is verified by implementing the 
algorithm given below: 

- by h is denoted a number such that 2 h divides the 
rank of g relative to p and such that 2 h+1 does not 
divide it, 

- h is computed from the Legendre symbol (glp) and 
from a number b equal to a 2 fc -th primitive root of the 
unit in CG (p) , 

• if (glp) = -1 then h = t 

• if (glp) = +1 with t = 1, then h = 0 

• if (glp) = +1 with t > 1, then the key 
< (p-l + 2 t ) /2 t-1 ,p) is applied to G, a result w is thus 
obtained: 

• • if w = +g, then h = 0 

• • if w = p-g, then h = +1 

• • otherwise, the computation sub-modulus below 
is applied, by initializing the variable c attributing 
to it the value b, then iterating the following steps 
for values of i from t-1 to 2: 
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step 1: the key (2 1 f p) is applied to w/g(modp), 

* if the result obtained is equal to +1, go to step 

2, 

* if the result obtained is equal to -1, the value 
i is attributed to h and w is replaced by w.c(modp), 

step 2: c is replaced by c 2 (modp), 

the value pf h sought is that obtained the last 
time the application of the key <2 1 / p>, in accordance 
with step 1, produced a result equal to -1. 

(it may be recalled that 

~ k, g, p are compatible when h>l and when k+h>t+l, 

- k, g, p are compatible when h=0 or 1, whatever 
the value of k, or when h>l and when k+h<t+l) . 

(in said algorithm, the Legendre symbol and t have 
the sense defined in the description) . 

7. A process according to claim 6 such that to test 
the second condition, a check is made that at least one 
set {5i.! ... 8 i f } is variable or nil, 

(5 has the sense defined in the description) . 

8. A process according to claim 7 such that to test 
the third condition, a check is made that there is a 
base number g x from g 1 to g m such that the f Legendre 
symbols (gjpi) to (gilp f ) are all equal to +1 or else 
the f Legendre symbols (-gjpi) to (-gjpf) are all equal 
to +1. 

9. A process according to any one of claims 1 to 8 
such that to compute the f.m private components Qi,j of 
the private values Q lr Q 2 Q m (Q ifj ~ Q x mod p j ) , where d = 
Qi V mod n : 

- if t = 1 (i.e. if Pj=3(mod4)): 

• a number Sj is computed such that 
Sj=( (pj + 1) /4 k (mod( Pj -l) /2) , 

• its key (Sj,Pj> is deduced, 

• the key <Sj,pj) is applied to G if 

• we thus have: w =Gi Sj (modpj ) , 
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• the two possible values of Qi r3 - are w, p 3 -w, 

- if t - 2 (i.e. if Pj=5(mod8)): 

• a number Sj is computed such that 
SjS( (pj + 3) /8 k (mod( Pj -l) / 4) , 

• its key ( s^,p 3 ) is deduced, 

• the key ( Sj,Pj > is applied to G if 

• we thus have: w =Gi SJ (modpj ) and w' =w.z(mod 

P D ) f 

• the four possible values of Q itJ - are w, Pj - w, 
W / Pj - W , 

(iii said algorithm z has the sense defined in the 
description) . 

- if t>2 (i.e. if p j s2 t +l (mod2 t+1 ) ) and if h=0 or if 

h=l, . 

• a number Sj is computed such that Sj=((p-j-l 
+2 t } / 2 t+1 ) k (mod(p j -l) / 2 t ) , 

• its key < Sj,Pj > is deduced, 

• the key ( Sj,Pj ) is applied to G ir 

• we thus have: w =Gi S: (modpj ) . 

• the 2 min<k,t) possible values of Q ±/j are equal 
to the product of w by any one of the 2 min(k/t) -th roots 
of the unit in CG(pj). 

- if t>2 (i.e. if Pj=2 fc +1 (mod2 t+1 ) ) and if h>l and if 
h+k<t+l, 

• Sj is computed such that Sj=((pj-1 
+2 fc ) /2 t+1 ) k+h_1 (mocKpj-l) / 2 fc ), 

• its key ( Sj,Pj ) is deduced, 

• the key < Sj,Pj > is applied to the 2 h_1 -th 
power Gi, 

• w is thus obtained 

• the 2 k possible values of Q lrj belong to all 
the products of w by the 2 k+h ~ 1 -th primitive roots of the 
unit in CG (pj ) . 

10. A process according to claim 9 such that to 
compute the private components Q ±/ j where Gi.Qi V = l.mod 
n, s 3 is replaced by ((p-j-1)/ 2 t ) - s 3 - in the key (s jf pj>. 



11. A process applying the process, according to 
any one of the claims 1 to 8, allowing the f prime 
factors Pi, p 2 ... Pf or the m base numbers g lf g 2 ... g m to 
be produced: 

said process being intended to prove to a 
controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this 
entity, 

by means of m pairs of private Q 1/ Q 2 ... Q m and public 
G lr G 2 , ... G m values (m being greater than or equal to 1) 
or parameters derived from them, particularly by means 
of the private components Gi,ji 

said process implementing according to the steps 
hereinafter an entity called a witness; 

said witness entity having the f prime factors Pi 
and/or the parameters of the values of the Chinese 
remainders of the prime factors; and/or the public 
modulus n and/or the m private values Qi and/or the f.m 
private components Q^j of the private values Qi and the 
public exponent v; 

- the witness computes commitments R in the ring of 
the integers modulo n: each commitment being computed: 

• either by performing operations of the type 

R == r v mod n 

where r is a random number such that 0<r<n, 

• or 

• • by performing operations of the type 

R i = mod Pi 

where ri is a random number associated with the 
prime number p^ such that 0<ri<Pi, each r ± belonging to a 
collection of random numbers {r lf r 2 ,to r f }, 
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• • then by applying the method of Chinese 
remainders ; 

- the witness receives one or more challenges d; 
each challenge d comprising m integers d± hereinafter 
called elementary challenges; the witness computes from 
each challenge d a response D, 

• either by performing operations of the type 

D r.Q 1 dl .Q 2 d2 to Q m dm mod n 

• or 

• • by performing operations of the type: 

~ ~ dl ~, d2 , ^ dm , 

D 1 = r x .Q if i .Q i#2 to Q irin mod p ± 

• • then by applying the method of Chinese 
remainders ; 

said process being such that there are as many 
responses D as challenges d and commitments R, each 
group of numbers R, d, D constituting a triplet denoted 
{R, d, D} . 
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(54) Titre: JEUX DE CLES PARTICULIERS DESTINES A PROUVER L'AUTHENTICITE D UNE ENTITE OU L'INTEGRITE 
D'UN MESSAGE 

(57) Abstract: The invention concerns a set of particular keys designed to prove the authenticity of an entity or the integrity of a 
message. The proof is established by a set of keys comprising: m (>1) pairs of private <i and public G, = g, 2 values; a public module 
n consisting of the product of f(>2) prime factors; an exponent v=2 k (k > 1), linked by relationships of the type: G, .Q, v s 1. mod n 
J*-* or G, = Qi v mod n . The set of keys is produced such that among the m numbers obtained by increasing Q, or its inverse modulo n 
to modulo n square, k-1 times rank, at least one of them is different from g,; among the 2m equations: x 2 = g, mod n, x 2 = -g, mod n 
at least one of them has solutions in x in the ring of the modulo n integers. 

Jj? (57) Abrege: La preuve est e"tablie au moyen de jeux de cles comprenant: m ( > 1) couples de valeurs privets Q, et publiques G,= 
gi 2 ; un module public n constitue" par le produit de f(> 2) facteurs premiers un exposant v=2 k (k> > 1), lies par des relations du type: 

O Gi.Qi v = s L mod n ou G 4 = = Qi v mod n. Les jeux de cles sont produiis de telle sorte que: parmi les m nombres obtenus en elevant Q 
ou son inverse modulo n au carre" modulo n, k-1 fois de rang, au moins Pun d'entre eux est different de ± gi parmi les 2m equations: 
x 2 gj mod n, x 2 = - g 4 mod n, au moins Tune d*entre elles a des solutions en x dans l'anneau des entiers modulo n. 
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COMBINED DECLARATION AND 
POWER OF ATTORNEY 

IN ORIGINAL APPLICATION 



Attorney Docket No. 



F40. 12-0006 



SPECIFICATION AND INVENTORSHIP IDENTIFICATION 

As a below named inventor, I declare that: 

My residence, post office address and citizenship are as stated 
below next to my name. 

I believe I am the original, first and joint inventor of the 
subject matter which is claimed, and for which a patent is sought, on the 
invention entitled SET OF PARTICULAR KEYS FOR PROVING AUTHENTICITY OF AN 
ENTITY OR THE INTEGRITY OF A ME SSAGE the specification of which, " 



(check one) 



X is attached hereto. 

X was filed on. March 29,2002 

and was amended on 



as Appln. No. 10/089,646 



X was described and claimed in PCT International Application 

No. PCT/FR00/Q2715 filed on 29 September 2000 and as amended 
under PCT Article 19 on . 

ACKNOWLEDGEMENT OF REVIEW OF PAPERS AND DUTY OF CANDOR 

I have reviewed and understand the contents of the above identified 
application, including the claims, as amended by any amendment referred to 
above. I acknowledge the duty to disclose information"* which is known to me to 
be material to the patentability of this application in accordance with 37 
C.F.R. § 1.56. 



PRIORITY CLAIM (35 U.S.C. § 119) 

Prior Foreign Application ( s ) 

I claim foreign priority benefits under 35 U.S.C. § 119(a-d) of any 
foreign application ( s ) for patent or inventor's certificate listed below, each 
of which is incorporated by reference in its entirety, , each of which is 
incorporated by reference in its entirety, and have also identified below any 
foreign application for patent or inventor's certificate having a filing dare 
before that of the application on which priority is claimed: 



Number 



Country 



Day/Month/Year Filed 



Priority Claimed 



FR99 


12465 


France 


1 October 1999 


Yes 


X 


No 


FR99 


12467 


France 


1 October 1999 


Yes 


X 


No 


FR9 9 


12468 


France 


1 October 1999 


Yes 


X 


No 


FR00 


09644 


France 


21 July 2000 


Yes 


X 


No 



Prior Provisional Application ( s ) 

I hereby claim the benefit under 35 U.S.C. §119(e) of any United 
States Provisional Application ( s ) listed below, each of which is incorporated 
by reference in its entirety: 



Number 



Day/Month/Year Filed 



/ 



PRIORITY CLAIM (35 U.S.C. § 120) 

I claim the benefit under 35 U.S.C. § 120 of any United States 
application (s ) listed below, each of which is incorporated by reference in its 
entirety. Insofar as the subject matter of each of the claims of this 
application is not disclosed in the prior United States application in the 
manner provided by the first paragraph of 35 U.S.C. § 112, I acknowledge the 
duty to disclose to the Patent Office all information known to me to be 
material to patentability as defined in 37 C.F.R. § 1.56 which became available 
between the filing date of the prior application and the national or PCT 
international filing date of this application: 

Appln. No. U.S. Appl . No. Filing Date Status 

(if any under PCT) 




DECLARATION 

I declare that all statements made herein that are of my own 
knowledge are true and that all statements that are made on information and 
belief are believed to be true; and further that these statements were made 
with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under 18 U.S.C. § 1001 of Title 18 
of the United States Code and that such willful false statements may jeopardize 
the validity of the application or any patent issued thereon. 

POWER OF ATTORNEY 

I appoint the following attorneys and agents to prosecute the 
patent application identified above and to transact all business m the Patent 
and Trademark Office connected therewith, including full power of association, 
substitution and revocation: Judson K. Champlin, Reg. Mo. 34, 797; Joseph R. 
Kelly, Reg. No. 34,847 ; Nickolas E. Westman, Reg. Mo. _2 0, 14 7 ; * Steven M. 
Koehler, Reg. No . 36,18 8 ,- David D. Brush, Reg. No 34 , 557 ; John D. Veldhuis- 
Kroeze, Reg. Mo. 38,_35 4 ; Deirdre Megley Kvale, Peg 7 No! "35, 612 ; Theodore M. 
Magee, Reg. Mo . 39,7 58;^ Christopher R. Christenson, Reg. N o__ 4 2.413 : Brian D. 
Kaul _4 1 , 8 8 5 ; Robert M. Angus, Reg. No . _ 2.4 f 383 ^; Christopher L. Holt, Reg. Mo. 
4 5, 84 4; Alan G. Rego, Reg. Mo. 45,956^ _and David C. Bohn, Reg. No. 32/015. 

I ratify all prior actions taken by Westman, Champlin & Kelly, P. A. 
or the attorneys and agents mentioned above in connection with the prosecution 
of the above-mentioned patent application. 

DESIGNATION OF CORRESPONDENCE ADDRESS 



Please address all correspondence and telephone calls to Robert M. 
An cpus in care of\ ~~ 

V J 

WESTMAM, CHAMPLIN & KELLY, P. A. 
Suite 1600 - International Centre 

900 Second Avenue South 
Minneapolis, Minnesota 55402-3319 
Phone: (612) 334-3222 Fax: (612) 334-3312 
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Inventor ; 



Inventor : 




Date : 



(Signature) 
Louis GiWllou 



(Printed Han'te 1 ) 



Residence: ^ Bour gbarre\^ France 



Citizenship: France 



P.O. Address: 



16, rue de l'Ise, Bourgbarre, France 35230 
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Inventor: - s Date: ✓ 1 



(Signature ) 

Inventorj Jean-J^pgnp.g Qni ,qguater 

(Printed Name) 



Residency: Rhode Saint GeneseX Belgium Citizenship: Belgium 

P.O. Address: 3, avenue des Canards, Rhode Saint Genese, Belgium 1640 



